Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6eftz6UKDm.exe

Overview

General Information

Sample name:6eftz6UKDm.exe
renamed because original name is a hash value
Original sample name:2b1706b1a255a25718d22746c3ae418e.exe
Analysis ID:1575331
MD5:2b1706b1a255a25718d22746c3ae418e
SHA1:dedb5907b8746c76ad5bc264e05e06784447dcdd
SHA256:6c07d9e629e0b333fb62691c0a8c21e63e6c8da54a7e02fb387d6aec8fd031e0
Tags:exeuser-abuse_ch
Infos:

Detection

Credential Flusher
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Credential Flusher
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • 6eftz6UKDm.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\6eftz6UKDm.exe" MD5: 2B1706B1A255A25718D22746C3AE418E)
    • taskkill.exe (PID: 7552 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7648 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7712 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7776 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7840 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • firefox.exe (PID: 7896 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • firefox.exe (PID: 7928 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • firefox.exe (PID: 7944 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 8184 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196808b4-aa94-4ea0-926d-c9a927698a1e} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208b7e6e910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 1796 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -parentBuildID 20230927232528 -prefsHandle 3888 -prefMapHandle 3904 -prefsLen 26330 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4bb2915-743c-44bc-be3c-ec644e694703} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208c9574510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 7508 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4928 -prefsLen 33141 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3537fcfe-2cf5-4957-a7fb-f3ebb284c8c3} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208c9256110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 6eftz6UKDm.exe PID: 7472JoeSecurity_CredentialFlusherYara detected Credential FlusherJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 6eftz6UKDm.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 6eftz6UKDm.exeVirustotal: Detection: 22%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
    Machine Learning detection for sample
    Source: 6eftz6UKDm.exeJoe Sandbox ML: detected
    Source: 6eftz6UKDm.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49739 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.9:49746 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49769 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49770 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49772 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49828 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49829 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.9:49831 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49834 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49835 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49836 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49837 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49910 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49909 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49913 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49914 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49915 version: TLS 1.2
    Source: Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.1600097626.00000208D3803000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.1598520735.00000208C5408000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.1594066935.00000208C95CA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1597014566.00000208C5410000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1598520735.00000208C5408000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1597706406.00000208C5408000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1597014566.00000208C5410000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000E.00000003.1594066935.00000208C95CA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1597633676.00000208D3803000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.1600097626.00000208D3803000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1597706406.00000208C5408000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1597633676.00000208D3803000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_006DDBBE
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006AC2A2 FindFirstFileExW,0_2_006AC2A2
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E68EE FindFirstFileW,FindClose,0_2_006E68EE
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_006E698F
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006DD076
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006DD3A9
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006E9642
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006E979D
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_006E9B2B
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_006E5C97
    Source: firefox.exeMemory has grown: Private usage: 1MB later: 211MB
    Source: unknownNetwork traffic detected: DNS query count 31
    Source: Joe Sandbox ViewIP Address: 34.149.100.209 34.149.100.209
    Source: Joe Sandbox ViewIP Address: 151.101.65.91 151.101.65.91
    Source: Joe Sandbox ViewIP Address: 34.117.188.166 34.117.188.166
    Source: Joe Sandbox ViewJA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006ECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_006ECE44
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: firefox.exe, 0000000E.00000003.1641489792.00000208C8A35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1641646951.00000208C8A0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8*://www.youtube.com/* equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1565683415.00000208D0777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568202919.00000208D004D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1565683415.00000208D0777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568202919.00000208D004D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1631853261.00000208C8BBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1641489792.00000208C8A35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1565683415.00000208D0777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568202919.00000208D004D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1565683415.00000208D0777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568202919.00000208D004D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1557395097.00000208CB28D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE00C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1557395097.00000208CB28D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE00C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1557395097.00000208CB28D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE00C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE00C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&f equals www.facebook.com (Facebook)
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE00C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&f equals www.twitter.com (Twitter)
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE00C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&f equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1580622732.00000208C9B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: moz-extension://6ce79cb5-15f7-4802-bae6-9c49e29d85ec/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581245779.00000208C9AF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631853261.00000208C8BBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1581245779.00000208C9AF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1641489792.00000208C8A35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1630065203.00000208C9AF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1568282998.00000208CA0F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578969857.00000208CA0F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560418677.00000208CA0F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
    Source: global trafficDNS traffic detected: DNS query: detectportal.firefox.com
    Source: global trafficDNS traffic detected: DNS query: youtube.com
    Source: global trafficDNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: contile.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: spocs.getpocket.com
    Source: global trafficDNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
    Source: global trafficDNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: example.org
    Source: global trafficDNS traffic detected: DNS query: ipv4only.arpa
    Source: global trafficDNS traffic detected: DNS query: shavar.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: push.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: firefox.settings.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: support.mozilla.org
    Source: global trafficDNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: www.youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.facebook.com
    Source: global trafficDNS traffic detected: DNS query: www.wikipedia.org
    Source: global trafficDNS traffic detected: DNS query: star-mini.c10r.facebook.com
    Source: global trafficDNS traffic detected: DNS query: youtube-ui.l.google.com
    Source: global trafficDNS traffic detected: DNS query: dyna.wikimedia.org
    Source: global trafficDNS traffic detected: DNS query: www.reddit.com
    Source: global trafficDNS traffic detected: DNS query: twitter.com
    Source: global trafficDNS traffic detected: DNS query: reddit.map.fastly.net
    Source: global trafficDNS traffic detected: DNS query: services.addons.mozilla.org
    Source: global trafficDNS traffic detected: DNS query: normandy.cdn.mozilla.net
    Source: global trafficDNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1588863344.00000208D003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://127.0.0.1:
    Source: firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
    Source: firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
    Source: firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
    Source: firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
    Source: firefox.exe, 0000000E.00000003.1597468609.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1599578253.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597849945.00000208C53F9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582914563.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596772834.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1600349761.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598801758.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570552939.00000208C53F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: firefox.exe, 0000000E.00000003.1597468609.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1599578253.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597849945.00000208C53F9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582914563.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596772834.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1600349761.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598801758.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570552939.00000208C53F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: firefox.exe, 0000000E.00000003.1597468609.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1599578253.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597849945.00000208C53F9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582914563.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596772834.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1600349761.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598801758.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
    Source: firefox.exe, 0000000E.00000003.1546207457.00000208D1146000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com
    Source: firefox.exe, 0000000E.00000003.1641646951.00000208C8A0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/
    Source: firefox.exe, 0000000E.00000003.1573622257.00000208C9D6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557395097.00000208CB263000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546207457.00000208D1146000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/canonical.html
    Source: firefox.exe, 0000000E.00000003.1546207457.00000208D1146000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
    Source: firefox.exe, 0000000E.00000003.1546207457.00000208D11B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546207457.00000208D1146000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-04/schema#
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-06/schema#
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-07/schema#-
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org
    Source: firefox.exe, 0000000E.00000003.1641909833.00000208C81C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/
    Source: firefox.exe, 0000000E.00000003.1464290576.00000208CA2EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589593509.00000208CBCB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1574040229.00000208C8850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631036638.00000208C9377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473697877.00000208CA294000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1511825111.00000208C9CE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556627367.00000208D016B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473697877.00000208CA2E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522681990.00000208C9F45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558214510.00000208CB20C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1594066935.00000208C959B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463315463.00000208CA2DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1511237633.00000208C9EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1541834291.00000208CA2F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464290576.00000208CA2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562614154.00000208C9E8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1511237633.00000208C9EC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1516803096.00000208D0217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454552162.00000208C9E8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454552162.00000208C9EB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
    Source: firefox.exe, 0000000E.00000003.1597468609.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1599578253.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597849945.00000208C53F9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582914563.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596772834.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1600349761.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598801758.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570552939.00000208C53F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.thawte.com0
    Source: firefox.exe, 0000000E.00000003.1559928350.00000208CB01E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557022971.00000208D0127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0.
    Source: firefox.exe, 0000000E.00000003.1557022971.00000208D0127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0W
    Source: firefox.exe, 0000000E.00000003.1559928350.00000208CB01E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557022971.00000208D0127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://www.mozilla.com0
    Source: firefox.exe, 0000000E.00000003.1591444067.00000208CB472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2005/app-updatex
    Source: firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2006/browser/search/
    Source: firefox.exe, 0000000E.00000003.1630609179.00000208C93A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1629538543.00000208CA0D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
    Source: firefox.exe, 00000012.00000003.1446042620.00000265F37ED000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1442758347.00000265F37ED000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2616382518.00000265F37ED000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000003.1441045703.00000265F37ED000.00000004.00000020.00020000.00000000.sdmp, mozilla-temp-41.14.drString found in binary or memory: http://www.videolan.org/x264.html
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557022971.00000208D0127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
    Source: firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557022971.00000208D0127000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
    Source: firefox.exe, 0000000E.00000003.1634758279.00000208D0558000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
    Source: firefox.exe, 0000000E.00000003.1413911550.00000208C7B7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413825914.00000208C7B67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413376769.00000208C7B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413252165.00000208C7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413730356.00000208C7B4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.duckduckgo.com/ac/
    Source: firefox.exe, 0000000E.00000003.1635817553.00000208CB086000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577067245.00000208CB086000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com
    Source: firefox.exe, 0000000E.00000003.1630609179.00000208C93A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/settings/clients
    Source: firefox.exe, 0000000E.00000003.1548358855.00000208D0185000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474434037.00000208D0A2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
    Source: firefox.exe, 0000000E.00000003.1560418677.00000208CA0C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/enhancer-for-youtube/
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/facebook-container/
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/to-google-translate/
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/firefox/addon/wikipedia-context-menu-search/
    Source: firefox.exe, 0000000E.00000003.1570988365.00000208D2FAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1639107053.00000208D2FB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ads-us.rd.linksynergy.com/as.php
    Source: firefox.exe, 0000000E.00000003.1631853261.00000208C8BBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631853261.00000208C8B5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631853261.00000208C8BCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ads.stickyadstv.com/firefox-etp
    Source: firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://api.accounts.firefox.com/v1
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
    Source: firefox.exe, 0000000E.00000003.1641489792.00000208C8A35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1641489792.00000208C8A35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
    Source: firefox.exe, 0000000E.00000003.1556474224.00000208D03CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547822300.00000208D03CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588863344.00000208D003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585583482.00000208D31DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://blocked.cdn.mozilla.net/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
    Source: firefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2615734905.0000026DFE203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
    Source: firefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2615734905.0000026DFE203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
    Source: firefox.exe, 0000000E.00000003.1582909666.00000208D2F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
    Source: firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1189266
    Source: firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1193802
    Source: firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1207993
    Source: firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1283601
    Source: firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678448
    Source: firefox.exe, 0000000E.00000003.1522681990.00000208C9F45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
    Source: firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=792480
    Source: firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=809550
    Source: firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=840161
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
    Source: firefox.exe, 0000000E.00000003.1413911550.00000208C7B7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413825914.00000208C7B67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413376769.00000208C7B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413252165.00000208C7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413730356.00000208C7B4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://completion.amazon.com/search/complete?q=
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net
    Source: firefox.exe, 0000000E.00000003.1636653343.00000208C9611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net/
    Source: firefox.exe, 0000000E.00000003.1587558959.00000208D054E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://content.cdn.mozilla.net
    Source: firefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2615734905.0000026DFE203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
    Source: firefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2615734905.0000026DFE203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
    Source: firefox.exe, 0000000E.00000003.1555516553.00000208D0586000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1587953666.00000208D03BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1639810044.00000208CBC37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/v1/tiles
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://coverage.mozilla.org
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://crash-stats.mozilla.org/report/index/
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/993268
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://dap-02.api.divviup.org
    Source: firefox.exe, 0000000E.00000003.1511237633.00000208C9EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454552162.00000208C9EB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
    Source: firefox.exe, 0000000E.00000003.1413911550.00000208C7B7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413825914.00000208C7B67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413376769.00000208C7B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413252165.00000208C7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586330212.00000208D30AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1521804118.00000208C9FA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1465430808.00000208C9FA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413730356.00000208C7B4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1469673945.00000208C9FA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/
    Source: firefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?t=ffab&q=
    Source: firefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
    Source: firefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
    Source: firefox.exe, 0000000E.00000003.1567061944.00000208D004F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1627331441.00000208D0058000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
    Source: firefox.exe, 0000000E.00000003.1443988382.00000208C9931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
    Source: firefox.exe, 0000000E.00000003.1445134824.00000208C994A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1447747003.00000208CB3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443988382.00000208C9931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
    Source: firefox.exe, 0000000E.00000003.1586209399.00000208D311C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1586209399.00000208D311C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1622198670.00000208D3111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
    Source: firefox.exe, 0000000E.00000003.1560418677.00000208CA0C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fpn.firefox.com/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
    Source: firefox.exe, 0000000E.00000003.1567061944.00000208D004F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1627331441.00000208D0058000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE0C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE0C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
    Source: firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2B2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE0C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
    Source: firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE0C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendations
    Source: firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsS
    Source: firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsS7
    Source: firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-compiler/issues/3177
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/issues/1266
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
    Source: firefox.exe, 0000000E.00000003.1413825914.00000208C7B67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413376769.00000208C7B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413252165.00000208C7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413730356.00000208C7B4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla-services/screenshots
    Source: firefox.exe, 0000000E.00000003.1638986270.00000208D3131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid#getrandomvalues-not-supported
    Source: firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/zertosh/loose-envify)
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
    Source: firefox.exe, 0000000E.00000003.1473221346.00000208CA685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560418677.00000208CA0D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1641646951.00000208C8A0E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1470383323.00000208CA1BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568491765.00000208CA0D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552399905.00000208CA633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ib.absa.co.za/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://ideas.mozilla.org/
    Source: firefox.exe, 0000000E.00000003.1585583482.00000208D31DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/apps/oldsyncS
    Source: firefox.exe, 0000000E.00000003.1573327709.00000208C9D9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1580126887.00000208C9D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/apps/relay
    Source: firefox.exe, 0000000E.00000003.1585583482.00000208D31DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/cmd/H
    Source: firefox.exe, 0000000E.00000003.1585583482.00000208D31DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/cmd/HCX
    Source: firefox.exe, 0000000E.00000003.1585583482.00000208D31DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryU
    Source: firefox.exe, 0000000E.00000003.1585583482.00000208D31DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryUFj
    Source: firefox.exe, 0000000E.00000003.1588281360.00000208D0369000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
    Source: prefs-1.js.14.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
    Source: firefox.exe, 0000000E.00000003.1557395097.00000208CB263000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1591553959.00000208CB41E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE0F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535694809.00000208D2FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/events/1/49ef0ff6-4326-4f0e-90ac-48bd1
    Source: firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/metrics/1/f9fc0007-42de-40a1-839c-ece8
    Source: firefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564562281.00000208D2D38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545245487.00000208D2D38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/5a20d7b5-6529-48f5
    Source: firefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1564562281.00000208D2D38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545245487.00000208D2D38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/c043eead-d506-4ff4
    Source: firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submits
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE0F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submitz
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://install.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1593536402.00000208C9643000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema.
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema./
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/schema/
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
    Source: firefox.exe, 0000000E.00000003.1641782317.00000208C81EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1557395097.00000208CB263000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
    Source: firefox.exe, 0000000E.00000003.1635817553.00000208CB086000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577067245.00000208CB086000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
    Source: firefox.exe, 0000000E.00000003.1635817553.00000208CB086000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577067245.00000208CB086000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
    Source: firefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
    Source: firefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%s
    Source: firefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE08E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mitmdetection.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1464387354.00000208CA623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mochitest.youtube.com/
    Source: firefox.exe, 0000000E.00000003.1560418677.00000208CA0C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/about
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/breach-details/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/dashboard
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/preferences
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
    Source: firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mozilla.org0/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://oauth.accounts.firefox.com/v1
    Source: firefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
    Source: firefox.exe, 0000000E.00000003.1473221346.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1477278007.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474831787.00000208CA65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464492375.00000208CA663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464387354.00000208CA623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.hbomax.com/page/
    Source: firefox.exe, 0000000E.00000003.1473221346.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1477278007.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474831787.00000208CA65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464492375.00000208CA663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464387354.00000208CA623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.hbomax.com/player/
    Source: firefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://profile.accounts.firefox.com/v1
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://profiler.firefox.com
    Source: firefox.exe, 0000000E.00000003.1586209399.00000208D311C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://push.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1636653343.00000208C9611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://push.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
    Source: firefox.exe, 0000000E.00000003.1588863344.00000208D003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://relay.firefox.com/api/v1/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
    Source: firefox.exe, 0000000E.00000003.1588863344.00000208D003F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
    Source: firefox.exe, 0000000E.00000003.1548217340.00000208D01A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588648726.00000208D01BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
    Source: firefox.exe, 0000000E.00000003.1588863344.00000208D003F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
    Source: firefox.exe, 0000000E.00000003.1588863344.00000208D003F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com/
    Source: firefox.exe, 0000000E.00000003.1511237633.00000208C9EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454552162.00000208C9EB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
    Source: firefox.exe, 0000000E.00000003.1628111244.00000208CA346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1548217340.00000208D01A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
    Source: firefox.exe, 0000000E.00000003.1548217340.00000208D01A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
    Source: firefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1640674303.00000208C8A5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
    Source: firefox.exe, 0000000E.00000003.1548217340.00000208D01A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
    Source: firefox.exe, 0000000E.00000003.1631853261.00000208C8B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/facebook.svg
    Source: firefox.exe, 0000000E.00000003.1631853261.00000208C8B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/play.svg
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
    Source: firefox.exe, 0000000E.00000003.1442289905.00000208D056B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com
    Source: firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE013000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/
    Source: firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs#
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs#l
    Source: firefox.exe, 0000000E.00000003.1590668479.00000208CB671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE0FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/user
    Source: firefox.exe, 0000000E.00000003.1631853261.00000208C8BCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
    Source: firefox.exe, 0000000E.00000003.1631853261.00000208C8BBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631853261.00000208C8B5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631853261.00000208C8BCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1560418677.00000208CA0C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
    Source: firefox.exe, 0000000E.00000003.1570988365.00000208D2FAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565409313.00000208D07E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1639107053.00000208D2FB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583893645.00000208D07E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
    Source: firefox.exe, 0000000E.00000003.1579716594.00000208C9DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/firefox-relay-integration
    Source: firefox.exe, 0000000E.00000003.1573177457.00000208C9DB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1579951576.00000208C9DB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552799493.00000208D2E2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587254870.00000208D0730000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584338416.00000208D0718000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565683415.00000208D0709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1629685602.00000208C9D09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1580622732.00000208C9B8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1536334912.00000208D2E2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/captive-portal
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
    Source: firefox.exe, 0000000E.00000003.1626406811.00000208D00A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1567061944.00000208D009C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://topsites.services.mozilla.com/cid/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
    Source: firefox.exe, 0000000E.00000003.1560418677.00000208CA0C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://truecolors.firefox.com/
    Source: firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
    Source: firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://watch.sling.com/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://webcompat.com/issues/new
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
    Source: firefox.exe, 0000000E.00000003.1635384411.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://webpack.js.org/concepts/mode/)
    Source: firefox.exe, 0000000E.00000003.1571527294.00000208CBCD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
    Source: firefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
    Source: firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
    Source: firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
    Source: firefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2615734905.0000026DFE203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
    Source: firefox.exe, 0000000E.00000003.1547822300.00000208D03DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
    Source: firefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
    Source: firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
    Source: firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
    Source: firefox.exe, 0000000E.00000003.1597468609.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1599578253.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597849945.00000208C53F9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582914563.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596772834.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1600349761.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570834264.00000208C53F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598801758.00000208C53F7000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
    Source: firefox.exe, 0000000E.00000003.1571869973.00000208CBC33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
    Source: firefox.exe, 0000000E.00000003.1547980785.00000208D01DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
    Source: firefox.exe, 0000000E.00000003.1439923032.00000208D04C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1439730154.00000208D0235000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search
    Source: firefox.exe, 0000000E.00000003.1413911550.00000208C7B7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413825914.00000208C7B67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413376769.00000208C7B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413252165.00000208C7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413730356.00000208C7B4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
    Source: firefox.exe, 0000000E.00000003.1547822300.00000208D03DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
    Source: firefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1473221346.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1477278007.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474831787.00000208CA65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464492375.00000208CA663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464387354.00000208CA623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hulu.com/watch/
    Source: firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
    Source: firefox.exe, 0000000E.00000003.1473221346.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1477278007.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474831787.00000208CA65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464492375.00000208CA663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464387354.00000208CA623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/
    Source: firefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2615734905.0000026DFE203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
    Source: firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
    Source: firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
    Source: firefox.exe, 0000000E.00000003.1628111244.00000208CA319000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mobilesuica.com/
    Source: firefox.exe, 0000000E.00000003.1594066935.00000208C95C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1635817553.00000208CB082000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581293458.00000208C9AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1560418677.00000208CA0C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
    Source: firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
    Source: firefox.exe, 0000000E.00000003.1445134824.00000208C994A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1447747003.00000208CB3BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1443988382.00000208C9931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
    Source: firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/anything/?
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
    Source: firefox.exe, 0000000E.00000003.1579716594.00000208C9DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/about/legal/terms/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1585541879.00000208D31FE000.00000004.00000800.00020000.00000000.sdmp, targeting.snapshot.json.tmp.14.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
    Source: firefox.exe, 0000000E.00000003.1545719433.00000208D2A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623884466.00000208D05E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1639284816.00000208D05E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
    Source: firefox.exe, 0000000E.00000003.1579716594.00000208C9DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
    Source: firefox.exe, 0000000E.00000003.1545719433.00000208D2A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623884466.00000208D05E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1639284816.00000208D05E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
    Source: firefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE0FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
    Source: firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
    Source: firefox.exe, 0000000E.00000003.1588184877.00000208D0381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/V
    Source: firefox.exe, 0000000E.00000003.1545719433.00000208D2A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
    Source: firefox.exe, 0000000E.00000003.1635817553.00000208CB086000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577067245.00000208CB086000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571527294.00000208CBCD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
    Source: firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
    Source: firefox.exe, 0000000E.00000003.1581293458.00000208C9AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sling.com/
    Source: firefox.exe, 0000000E.00000003.1593698013.00000208C962A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
    Source: firefox.exe, 00000013.00000002.2610286174.0000026DFE00C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: firefox.exe, 0000000E.00000003.1571527294.00000208CBCD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
    Source: firefox.exe, 0000000E.00000003.1628111244.00000208CA319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1544708162.00000208D307B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1520345736.00000208C9C0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549516833.00000208C9C35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com
    Source: firefox.exe, 0000000E.00000003.1572457897.00000208CB6E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/
    Source: recovery.jsonlz4.tmp.14.drString found in binary or memory: https://youtube.com/account?=
    Source: firefox.exe, 00000013.00000002.2608658193.0000026DFDF30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/chal
    Source: firefox.exe, 0000000E.00000003.1628111244.00000208CA319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565683415.00000208D0709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1523985167.00000208CA6A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561242638.00000208CA6BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1559928350.00000208CB01E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558043137.00000208CB22F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525178029.00000208CA630000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1539247730.00000208CA630000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540509084.00000208CA6BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473221346.00000208CA6B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474831787.00000208CA6B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1591553959.00000208CB41E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2607122508.000001C49983A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614167352.000001C499C44000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2607670360.00000265F2880000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2613552824.00000265F2C54000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2607670360.00000265F288A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2608658193.0000026DFDF34000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2607753543.0000026DFDDA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2607753543.0000026DFDDAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
    Source: firefox.exe, 0000000C.00000002.1401828633.000001EA22E3A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000002.1407490544.0000026B919F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
    Source: firefox.exe, 00000010.00000002.2607122508.000001C49983A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd/
    Source: firefox.exe, 00000010.00000002.2607122508.000001C499830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd;
    Source: firefox.exe, 0000000E.00000003.1596624501.00000208C5409000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2607122508.000001C499830000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614167352.000001C499C44000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2607670360.00000265F2880000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2613552824.00000265F2C54000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2608658193.0000026DFDF34000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2607753543.0000026DFDDA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
    Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
    Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
    Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
    Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49909
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49739 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.9:49746 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49769 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49770 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49772 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49828 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49829 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.9:49831 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49834 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49835 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49836 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49837 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49910 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49909 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49913 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49914 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49915 version: TLS 1.2
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006EEAFF
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_006EED6A
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006EEAFF
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_006DAA57
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00709576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00709576

    System Summary

    barindex
    Binary is likely a compiled AutoIt script file
    Source: 6eftz6UKDm.exeString found in binary or memory: This is a third-party compiled AutoIt script.
    Source: 6eftz6UKDm.exe, 00000000.00000000.1350429714.0000000000732000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_09c1fc38-f
    Source: 6eftz6UKDm.exe, 00000000.00000000.1350429714.0000000000732000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5fa9b7e1-6
    Source: 6eftz6UKDm.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f699ed54-8
    Source: 6eftz6UKDm.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5b36f740-4
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_00000265F2C02377 NtQuerySystemInformation,18_2_00000265F2C02377
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_00000265F2C23BB2 NtQuerySystemInformation,18_2_00000265F2C23BB2
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_006DD5EB
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006D1201
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006DE8F6
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0067BF400_2_0067BF40
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006780600_2_00678060
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E20460_2_006E2046
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006D82980_2_006D8298
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006AE4FF0_2_006AE4FF
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006A676B0_2_006A676B
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_007048730_2_00704873
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0067CAF00_2_0067CAF0
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0069CAA00_2_0069CAA0
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0068CC390_2_0068CC39
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006A6DD90_2_006A6DD9
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0068D0650_2_0068D065
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0068B1190_2_0068B119
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006791C00_2_006791C0
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006913940_2_00691394
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006917060_2_00691706
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0069781B0_2_0069781B
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0068997D0_2_0068997D
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006779200_2_00677920
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006919B00_2_006919B0
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00697A4A0_2_00697A4A
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00691C770_2_00691C77
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00697CA70_2_00697CA7
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006FBE440_2_006FBE44
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006A9EEE0_2_006A9EEE
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00691F320_2_00691F32
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_00000265F2C0237718_2_00000265F2C02377
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_00000265F2C23BB218_2_00000265F2C23BB2
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_00000265F2C23BF218_2_00000265F2C23BF2
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_00000265F2C242DC18_2_00000265F2C242DC
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: String function: 00694963 appears 31 times
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: String function: 00690A30 appears 46 times
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: String function: 00679CB3 appears 31 times
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: String function: 0068F9F2 appears 40 times
    Source: 6eftz6UKDm.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal80.troj.evad.winEXE@34/36@69/12
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E37B5 GetLastError,FormatMessageW,0_2_006E37B5
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006D10BF AdjustTokenPrivileges,CloseHandle,0_2_006D10BF
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006D16C3
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006E51CD
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_006DD4DC
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_006E648E
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_006742A2
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Local\Temp\firefoxJump to behavior
    Source: 6eftz6UKDm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: firefox.exe, 0000000E.00000003.1554000340.00000208D1146000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546207457.00000208D1146000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
    Source: firefox.exe, 0000000E.00000003.1638301546.00000208C8AF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545288527.00000208D2D2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT sum(count) FROM events;
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT sum(count) FROM events;9'
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT sum(count) FROM events;9
    Source: firefox.exe, 0000000E.00000003.1586772907.00000208D2A2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);
    Source: 6eftz6UKDm.exeVirustotal: Detection: 22%
    Source: unknownProcess created: C:\Users\user\Desktop\6eftz6UKDm.exe "C:\Users\user\Desktop\6eftz6UKDm.exe"
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
    Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196808b4-aa94-4ea0-926d-c9a927698a1e} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208b7e6e910 socket
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -parentBuildID 20230927232528 -prefsHandle 3888 -prefMapHandle 3904 -prefsLen 26330 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4bb2915-743c-44bc-be3c-ec644e694703} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208c9574510 rdd
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4928 -prefsLen 33141 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3537fcfe-2cf5-4957-a7fb-f3ebb284c8c3} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208c9256110 utility
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blockingJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blockingJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196808b4-aa94-4ea0-926d-c9a927698a1e} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208b7e6e910 socketJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -parentBuildID 20230927232528 -prefsHandle 3888 -prefMapHandle 3904 -prefsLen 26330 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4bb2915-743c-44bc-be3c-ec644e694703} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208c9574510 rddJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4928 -prefsLen 33141 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3537fcfe-2cf5-4957-a7fb-f3ebb284c8c3} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208c9256110 utilityJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: 6eftz6UKDm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: 6eftz6UKDm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: 6eftz6UKDm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: 6eftz6UKDm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: 6eftz6UKDm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: 6eftz6UKDm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: 6eftz6UKDm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.1600097626.00000208D3803000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.1598520735.00000208C5408000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.1594066935.00000208C95CA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1597014566.00000208C5410000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1598520735.00000208C5408000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1597706406.00000208C5408000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1597014566.00000208C5410000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000E.00000003.1594066935.00000208C95CA000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1597633676.00000208D3803000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.1600097626.00000208D3803000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1597706406.00000208C5408000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1597633676.00000208D3803000.00000004.00000020.00020000.00000000.sdmp
    Source: 6eftz6UKDm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: 6eftz6UKDm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: 6eftz6UKDm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: 6eftz6UKDm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: 6eftz6UKDm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006742DE
    Source: gmpopenh264.dll.tmp.14.drStatic PE information: section name: .rodata
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00690A76 push ecx; ret 0_2_00690A89
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmpJump to dropped file
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)Jump to dropped file
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0068F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0068F98E
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00701C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00701C41
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found API chain indicative of sandbox detection
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96567
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_00000265F2C02377 rdtsc 18_2_00000265F2C02377
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeAPI coverage: 4.1 %
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_006DDBBE
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006AC2A2 FindFirstFileExW,0_2_006AC2A2
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E68EE FindFirstFileW,FindClose,0_2_006E68EE
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_006E698F
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006DD076
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006DD3A9
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006E9642
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006E979D
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_006E9B2B
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_006E5C97
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006742DE
    Source: firefox.exe, 00000012.00000002.2613894858.00000265F30C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
    Source: 6eftz6UKDm.exe, 00000000.00000003.1439240936.000000000144D000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1445111710.000000000144E000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1356064033.000000000144D000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000002.1449430247.000000000144E000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1357744805.000000000144D000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1437018824.000000000144D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0ify_Event_{e6488fe6-ae41-4c22-9e48-ca64f419f776}Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: firefox.exe, 00000010.00000002.2607122508.000001C499866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR
    Source: 6eftz6UKDm.exe, 00000000.00000003.1439240936.000000000144D000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1445111710.000000000144E000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1356064033.000000000144D000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000002.1449430247.000000000144E000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1357744805.000000000144D000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1437018824.000000000144D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2613894858.00000265F30C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: firefox.exe, 00000010.00000002.2616049029.000001C499E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
    Source: firefox.exe, 00000010.00000002.2614943613.000001C499D19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
    Source: 6eftz6UKDm.exe, 00000000.00000003.1443907112.000000000140C000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1445111710.0000000001448000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1443625050.0000000001404000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1444913309.0000000001445000.00000004.00000020.00020000.00000000.sdmp, 6eftz6UKDm.exe, 00000000.00000003.1444196478.0000000001412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW)
    Source: firefox.exe, 00000013.00000002.2607753543.0000026DFDDAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp>
    Source: firefox.exe, 00000010.00000002.2607122508.000001C49983A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
    Source: firefox.exe, 00000012.00000002.2607670360.00000265F288A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB
    Source: firefox.exe, 00000010.00000002.2616049029.000001C499E00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2613894858.00000265F30C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_00000265F2C02377 rdtsc 18_2_00000265F2C02377
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006EEAA2 BlockInput,0_2_006EEAA2
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006A2622
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006742DE
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00694CE8 mov eax, dword ptr fs:[00000030h]0_2_00694CE8
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_006D0B62
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006A2622
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_0069083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0069083F
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006909D5 SetUnhandledExceptionFilter,0_2_006909D5
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00690C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00690C21
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006D1201
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006B2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_006B2BA5
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006DB226 SendInput,keybd_event,0_2_006DB226
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_006F22DA
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /TJump to behavior
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_006D0B62
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006D1663
    Source: 6eftz6UKDm.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: 6eftz6UKDm.exeBinary or memory string: Shell_TrayWnd
    Source: firefox.exe, 0000000E.00000003.1563609785.00000208D3803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_00690698 cpuid 0_2_00690698
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006CD21C GetLocalTime,0_2_006CD21C
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006CD27A GetUserNameW,0_2_006CD27A
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_006AB952
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006742DE

    Stealing of Sensitive Information

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: 6eftz6UKDm.exe PID: 7472, type: MEMORYSTR
    Source: 6eftz6UKDm.exeBinary or memory string: WIN_81
    Source: 6eftz6UKDm.exeBinary or memory string: WIN_XP
    Source: 6eftz6UKDm.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
    Source: 6eftz6UKDm.exeBinary or memory string: WIN_XPe
    Source: 6eftz6UKDm.exeBinary or memory string: WIN_VISTA
    Source: 6eftz6UKDm.exeBinary or memory string: WIN_7
    Source: 6eftz6UKDm.exeBinary or memory string: WIN_8

    Remote Access Functionality

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: 6eftz6UKDm.exe PID: 7472, type: MEMORYSTR
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_006F1204
    Source: C:\Users\user\Desktop\6eftz6UKDm.exeCode function: 0_2_006F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_006F1806

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure2
    Valid Accounts    		1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Exploitation for Privilege Escalation    		2
    Disable or Modify Tools    		21
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		2
    Valid Accounts    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol21
    Input Capture    		12
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    Extra Window Memory Injection    		2
    Obfuscated Files or Information    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin Shares3
    Clipboard Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
    Valid Accounts    		1
    DLL Side-Loading    		NTDS16
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
    Access Token Manipulation    		1
    Extra Window Memory Injection    		LSA Secrets131
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
    Process Injection    		1
    Masquerading    		Cached Domain Credentials1
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
    Valid Accounts    		DCSync3
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Virtualization/Sandbox Evasion    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
    Access Token Manipulation    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
    Process Injection    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575331 Sample: 6eftz6UKDm.exe Startdate: 15/12/2024 Architecture: WINDOWS Score: 80 45 youtube.com 2->45 47 youtube-ui.l.google.com 2->47 49 34 other IPs or domains 2->49 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected Credential Flusher 2->61 63 3 other signatures 2->63 8 6eftz6UKDm.exe 2->8         started        11 firefox.exe 1 2->11         started        signatures3 process4 signatures5 65 Binary is likely a compiled AutoIt script file 8->65 67 Found API chain indicative of sandbox detection 8->67 13 taskkill.exe 1 8->13         started        15 taskkill.exe 1 8->15         started        17 taskkill.exe 1 8->17         started        23 3 other processes 8->23 19 firefox.exe 3 210 11->19         started        process6 dnsIp7 25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 17->29         started        51 youtube.com 142.250.181.78, 443, 49735, 49736 GOOGLEUS United States 19->51 53 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49734, 49748, 49751 GOOGLEUS United States 19->53 55 10 other IPs or domains 19->55 41 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 19->41 dropped 43 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 19->43 dropped 31 firefox.exe 1 19->31         started        33 firefox.exe 1 19->33         started        35 firefox.exe 1 19->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        file8 process9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    6eftz6UKDm.exe22%VirustotalBrowse
    6eftz6UKDm.exe100%AviraTR/ATRAPS.Gen
    6eftz6UKDm.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)0%ReversingLabs
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)0%VirustotalBrowse
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp0%ReversingLabs
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp0%VirustotalBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://truecolors.firefox.com/0%Avira URL Cloudsafe
    https://truecolors.firefox.com/0%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    example.org
    		93.184.215.14
    		truefalse
      		high
      star-mini.c10r.facebook.com
      		157.240.196.35
      		truefalse
        		high
        prod.classify-client.prod.webservices.mozgcp.net
        		35.190.72.216
        		truefalse
          		high
          prod.balrog.prod.cloudops.mozgcp.net
          		35.244.181.201
          		truefalse
            		high
            twitter.com
            		104.244.42.193
            		truefalse
              		high
              prod.detectportal.prod.cloudops.mozgcp.net
              		34.107.221.82
              		truefalse
                		high
                services.addons.mozilla.org
                		151.101.65.91
                		truefalse
                  		high
                  s-part-0035.t-0009.t-msedge.net
                  		13.107.246.63
                  		truefalse
                    		high
                    dyna.wikimedia.org
                    		185.15.58.224
                    		truefalse
                      		high
                      prod.remote-settings.prod.webservices.mozgcp.net
                      		34.149.100.209
                      		truefalse
                        		high
                        contile.services.mozilla.com
                        		34.117.188.166
                        		truefalse
                          		high
                          youtube.com
                          		142.250.181.78
                          		truefalse
                            		high
                            prod.content-signature-chains.prod.webservices.mozgcp.net
                            		34.160.144.191
                            		truefalse
                              		high
                              youtube-ui.l.google.com
                              		172.217.19.14
                              		truefalse
                                		high
                                us-west1.prod.sumo.prod.webservices.mozgcp.net
                                		34.149.128.2
                                		truefalse
                                  		high
                                  reddit.map.fastly.net
                                  		151.101.193.140
                                  		truefalse
                                    		high
                                    ipv4only.arpa
                                    		192.0.0.170
                                    		truefalse
                                      		high
                                      prod.ads.prod.webservices.mozgcp.net
                                      		34.117.188.166
                                      		truefalse
                                        		high
                                        push.services.mozilla.com
                                        		34.107.243.93
                                        		truefalse
                                          		high
                                          normandy-cdn.services.mozilla.com
                                          		35.201.103.21
                                          		truefalse
                                            		high
                                            telemetry-incoming.r53-2.services.mozilla.com
                                            		34.120.208.123
                                            		truefalse
                                              		high
                                              www.reddit.com
                                              		unknown
                                              		unknownfalse
                                                		high
                                                spocs.getpocket.com
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  content-signature-2.cdn.mozilla.net
                                                  		unknown
                                                  		unknownfalse
                                                    		high
                                                    support.mozilla.org
                                                    		unknown
                                                    		unknownfalse
                                                      		high
                                                      firefox.settings.services.mozilla.com
                                                      		unknown
                                                      		unknownfalse
                                                        		high
                                                        www.youtube.com
                                                        		unknown
                                                        		unknownfalse
                                                          		high
                                                          www.facebook.com
                                                          		unknown
                                                          		unknownfalse
                                                            		high
                                                            detectportal.firefox.com
                                                            		unknown
                                                            		unknownfalse
                                                              		high
                                                              normandy.cdn.mozilla.net
                                                              		unknown
                                                              		unknownfalse
                                                                		high
                                                                shavar.services.mozilla.com
                                                                		unknown
                                                                		unknownfalse
                                                                  		high
                                                                  www.wikipedia.org
                                                                  		unknown
                                                                  		unknownfalse
                                                                    		high

                                                                    URLs from Memory and Binaries

                                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                                    https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lfirefox.exe, 00000013.00000002.2610286174.0000026DFE0C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://detectportal.firefox.com/firefox.exe, 0000000E.00000003.1641646951.00000208C8A0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.mozilla.com0gmpopenh264.dll.tmp.14.drfalse
                                                                              		high
                                                                              https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecyclfirefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://merino.services.mozilla.com/api/v1/suggestfirefox.exe, 00000013.00000002.2610286174.0000026DFE08E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://json-schema.org/draft/2019-09/schema.firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protectfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.leboncoin.fr/firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://spocs.getpocket.com/spocsfirefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozillfirefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://shavar.services.mozilla.comfirefox.exe, 0000000E.00000003.1628111244.00000208CA346000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://completion.amazon.com/search/complete?q=firefox.exe, 0000000E.00000003.1413911550.00000208C7B7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413825914.00000208C7B67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413376769.00000208C7B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413252165.00000208C7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413730356.00000208C7B4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-reportfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://ads.stickyadstv.com/firefox-etpfirefox.exe, 0000000E.00000003.1631853261.00000208C8BBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631853261.00000208C8B5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631853261.00000208C8BCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://identity.mozilla.com/ids/ecosystem_telemetryUfirefox.exe, 0000000E.00000003.1585583482.00000208D31DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tabfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://monitor.firefox.com/breach-details/firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEMfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.amazon.com/exec/obidos/external-search/firefox.exe, 0000000E.00000003.1547822300.00000208D03DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.msn.comfirefox.exe, 0000000E.00000003.1635817553.00000208CB086000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577067245.00000208CB086000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&ctafirefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2615734905.0000026DFE203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drfalse
                                                                                                                  		high
                                                                                                                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5firefox.exe, 0000000E.00000003.1581293458.00000208C9AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://github.com/mozilla-services/screenshotsfirefox.exe, 0000000E.00000003.1413825914.00000208C7B67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413376769.00000208C7B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413252165.00000208C7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413730356.00000208C7B4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://services.addons.mozilla.org/api/v4/addons/addon/firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://tracking-protection-issues.herokuapp.com/newfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-reportfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://youtube.com/firefox.exe, 0000000E.00000003.1572457897.00000208CB6E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://content-signature-2.cdn.mozilla.net/firefox.exe, 0000000E.00000003.1636653343.00000208C9611000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://json-schema.org/draft/2020-12/schema/=firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.instagram.com/firefox.exe, 0000000E.00000003.1473221346.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1477278007.00000208CA656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474831787.00000208CA65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464492375.00000208CA663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464387354.00000208CA623000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-reportfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://api.accounts.firefox.com/v1firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.amazon.com/firefox.exe, 0000000E.00000003.1534847951.00000208D31CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2firefox.exe, 0000000E.00000003.1548217340.00000208D01A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protectionsfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://ocsp.rootca1.amazontrust.com0:firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.youtube.com/firefox.exe, 00000013.00000002.2610286174.0000026DFE00C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://bugzilla.mozilla.org/show_bug.cgi?id=1283601firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shieldfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://MD8.mozilla.org/1/mfirefox.exe, 0000000E.00000003.1634758279.00000208D0558000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.bbc.co.uk/firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://addons.mozilla.org/firefox/addon/to-google-translate/firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=firefox.exe, 00000013.00000002.2610286174.0000026DFE0C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://127.0.0.1:firefox.exe, 0000000E.00000003.1588863344.00000208D003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152firefox.exe, 0000000E.00000003.1511237633.00000208C9EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454552162.00000208C9EB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://bugzilla.mofirefox.exe, 0000000E.00000003.1582909666.00000208D2F30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://mitmdetection.services.mozilla.com/firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://static.adsafeprotected.com/firefox-etp-jsfirefox.exe, 0000000E.00000003.1631853261.00000208C8BCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://youtube.com/account?=recovery.jsonlz4.tmp.14.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://shavar.services.mozilla.com/firefox.exe, 0000000E.00000003.1548217340.00000208D01A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgfirefox.exe, 00000010.00000002.2608955121.000001C499BC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2615734905.0000026DFE203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://spocs.getpocket.com/firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571869973.00000208CBC63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2608808515.00000265F2B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2610286174.0000026DFE013000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://services.addons.mozilla.org/api/v4/abuse/report/addon/firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-ffirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://www.iqiyi.com/firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_rfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://monitor.firefox.com/user/breach-stats?includeResolved=truefirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-reportfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://addons.mozilla.org/firefox.exe, 0000000E.00000003.1560418677.00000208CA0C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://a9.com/-/spec/opensearch/1.0/firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://safebrowsing.google.com/safebrowsing/diagnostic?site=firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://monitor.firefox.com/user/dashboardfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_IDfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://monitor.firefox.com/aboutfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://mozilla.org/MPL/2.0/.firefox.exe, 0000000E.00000003.1464290576.00000208CA2EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589593509.00000208CBCB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1574040229.00000208C8850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1631036638.00000208C9377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473697877.00000208CA294000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1511825111.00000208C9CE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556627367.00000208D016B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473697877.00000208CA2E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522681990.00000208C9F45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558214510.00000208CB20C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1594066935.00000208C959B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1463315463.00000208CA2DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1511237633.00000208C9EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1541834291.00000208CA2F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464290576.00000208CA2F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562614154.00000208C9E8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1511237633.00000208C9EC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1516803096.00000208D0217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454552162.00000208C9E8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1454552162.00000208C9EB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://account.bellmedia.cfirefox.exe, 0000000E.00000003.1635817553.00000208CB086000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577067245.00000208CB086000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://login.microsoftonline.comfirefox.exe, 0000000E.00000003.1635817553.00000208CB086000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577067245.00000208CB086000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://coverage.mozilla.orgfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://crl.thawte.com/ThawteTimestampingCA.crl0gmpopenh264.dll.tmp.14.drfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://www.zhihu.com/firefox.exe, 0000000E.00000003.1571527294.00000208CBCD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://x1.c.lencr.org/0firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557022971.00000208D0127000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://x1.i.lencr.org/0firefox.exe, 0000000E.00000003.1640674303.00000208C8AEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1557022971.00000208D0127000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://a9.com/-/spec/opensearch/1.1/firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://infra.spec.whatwg.org/#ascii-whitespacefirefox.exe, 0000000E.00000003.1516803096.00000208D0231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://blocked.cdn.mozilla.net/firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://json-schema.org/draft/2019-09/schemafirefox.exe, 0000000E.00000003.1593536402.00000208C9643000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://duckduckgo.com/?t=ffab&q=firefox.exe, 0000000E.00000003.1544407149.00000208D30A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      https://profiler.firefox.comfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://outlook.live.com/default.aspx?rru=compose&to=%sfirefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          https://identity.mozilla.com/apps/relayfirefox.exe, 0000000E.00000003.1573327709.00000208C9D9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1580126887.00000208C9D9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://mozilla.cloudflare-dns.com/dns-queryfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                              https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2firefox.exe, 0000000E.00000003.1626406811.00000208D00A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1567061944.00000208D009C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                https://bugzilla.mozilla.org/show_bug.cgi?id=1678448firefox.exe, 0000000E.00000003.1473172608.00000208CA11E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                                  https://mail.yahoo.co.jp/compose/?To=%sfirefox.exe, 0000000E.00000003.1415701485.00000208C7733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1415467587.00000208C771C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621241383.00000208C7739000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1414838270.00000208C7733000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                                    https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/firefox.exe, 0000000E.00000003.1565409313.00000208D077A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                                      https://contile.services.mozilla.com/v1/tilesfirefox.exe, 0000000E.00000003.1639810044.00000208CBC37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587415236.00000208D0565000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584397828.00000208D0564000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                                        https://www.amazon.co.uk/firefox.exe, 0000000E.00000003.1593658392.00000208C9633000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                                          https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/firefox.exe, 0000000E.00000003.1622198670.00000208D3111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                                            https://monitor.firefox.com/user/preferencesfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                                              https://screenshots.firefox.com/firefox.exe, 0000000E.00000003.1413504851.00000208C7B34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                                https://truecolors.firefox.com/firefox.exe, 0000000E.00000003.1560418677.00000208CA0C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                • 0%, Virustotal, Browse
                                                                                                                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                                                                https://www.google.com/searchfirefox.exe, 0000000E.00000003.1547822300.00000208D03DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                                                  https://relay.firefox.com/api/v1/firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                                                    http://json-schema.org/draft-07/schema#-firefox.exe, 0000000E.00000003.1581293458.00000208C9ACC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                                                      https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-reportfirefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                                                        https://topsites.services.mozilla.com/cid/firefox.exe, 00000010.00000002.2614571763.000001C499C50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2608042737.00000265F2990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2609880168.0000026DFDF70000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                          		high

                                                                                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                                          34.149.100.209
                                                                                                                                                                                                                                                                          		prod.remote-settings.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		2686ATGS-MMD-ASUSfalse
                                                                                                                                                                                                                                                                          34.107.243.93
                                                                                                                                                                                                                                                                          		push.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          151.101.65.91
                                                                                                                                                                                                                                                                          		services.addons.mozilla.orgUnited States
                                                                                                                                                                                                                                                                          		54113FASTLYUSfalse
                                                                                                                                                                                                                                                                          34.107.221.82
                                                                                                                                                                                                                                                                          		prod.detectportal.prod.cloudops.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          35.244.181.201
                                                                                                                                                                                                                                                                          		prod.balrog.prod.cloudops.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          34.117.188.166
                                                                                                                                                                                                                                                                          		contile.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                          		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                                                                                                                          35.201.103.21
                                                                                                                                                                                                                                                                          		normandy-cdn.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          142.250.181.78
                                                                                                                                                                                                                                                                          		youtube.comUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          35.190.72.216
                                                                                                                                                                                                                                                                          		prod.classify-client.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                          34.160.144.191
                                                                                                                                                                                                                                                                          		prod.content-signature-chains.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                          		2686ATGS-MMD-ASUSfalse
                                                                                                                                                                                                                                                                          34.120.208.123
                                                                                                                                                                                                                                                                          		telemetry-incoming.r53-2.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                          		15169GOOGLEUSfalse

                                                                                                                                                                                                                                                                          Private

                                                                                                                                                                                                                                                                          IP
                                                                                                                                                                                                                                                                          127.0.0.1

                                                                                                                                                                                                                                                                          General Information

                                                                                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                                          Analysis ID:1575331
                                                                                                                                                                                                                                                                          Start date and time:2024-12-15 09:17:27 +01:00
                                                                                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                                          Overall analysis duration:0h 7m 9s
                                                                                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                                          Number of analysed new started processes analysed:24
                                                                                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                                                                                          Sample name:6eftz6UKDm.exe
                                                                                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                                                                                          Original Sample Name:2b1706b1a255a25718d22746c3ae418e.exe
                                                                                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                                                                                          Classification:mal80.troj.evad.winEXE@34/36@69/12
                                                                                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                                                                                          • Successful, ratio: 96%
                                                                                                                                                                                                                                                                          • Number of executed functions: 50
                                                                                                                                                                                                                                                                          • Number of non-executed functions: 296
                                                                                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 44.228.225.150, 54.213.181.160, 35.85.93.176, 142.250.181.106, 142.250.181.138, 172.217.17.46, 88.221.134.155, 88.221.134.209, 13.107.246.63, 23.218.208.109, 4.175.87.197
                                                                                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, incoming.telemetry.mozilla.org, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, azureedge-t-prod.trafficmanager.net, safebrowsing.googleapis.com, location.services.mozilla.com
                                                                                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                                                                                          03:18:33API Interceptor1x Sleep call for process: firefox.exe modified

                                                                                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                                                                                          IPs

                                                                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                          34.117.188.166file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                              34.149.100.209file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                  151.101.65.91file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                          Pl8Tb06C8A.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse

                                                                                                                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                      example.orgfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                      star-mini.c10r.facebook.comfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      https://qr.me-qr.com/nl/sWBHqqwxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      https://u13974777.ct.sendgrid.net/ls/click?upn=u001.1GFl1p-2BBYL-2Bhgs5F-2B0NOkrtNxvRU5lHyHn9X7Gay0rMweTw4Bty7YorCE1pBfo679HN2Nod-2BfRWA-2FvzNVU6n0ycgVO9YFLntVOrRszMr10A-3DE-mj_xaXJc0NsC5WAXuVv6HNgzGH9nxkzD8xRdi-2BQVNVTAgV30zfSKc1z4I-2Bc6Qx1hEzdtXusfFTLvSScqQmgK1DgmCe6NsmhCnbLpmZI7EPM56c0IpOXy2jX8FUofqX-2FLwkrDNu-2BJ8VdkhW-2BcibVgB56YvBarWAJ68QdVLDk-2BreYFAbG2RxK5FI2ZOf8OuVaYqzfkm-2FGiI9tY4Y1XN-2FN7Uh8Vtzi-2FP-2B8s9qjOHBuznAYsq-2B4GCewCcJExgcNnMrLH-2B3Pv6vH6wzFQkN2aMTddwwaWvcIkZYQDF7aLn1FYUQMocCkCTJEmkArX-2Bdrge72rYVSFN-2FsI6AAcwN5SA74y-2B4g6Q-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                      twitter.comfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.1
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.129
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.65
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.1
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.65
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.1
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.244.42.129

                                                                                                                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                      GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.59.81
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      TRC.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.66.152.246
                                                                                                                                                                                                                                                                                                                                      TRC.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.65.156.142
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                      FASTLYUSrebirth.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                                                                                      • 104.156.89.37
                                                                                                                                                                                                                                                                                                                                      LaRHzSijsq.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                                                                                                                                      • 185.199.109.133
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                                                                                                                                                                                                      • 185.199.109.133
                                                                                                                                                                                                                                                                                                                                      c56uoWlDXp.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 185.199.111.133
                                                                                                                                                                                                                                                                                                                                      PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.193.137
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                      https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2F7T2aAE-SUREDANNYWthbnNoYS5rYW5vZGlhQGx0aW1pbmR0cmVlLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.66.137
                                                                                                                                                                                                                                                                                                                                      https://u13974777.ct.sendgrid.net/ls/click?upn=u001.1GFl1p-2BBYL-2Bhgs5F-2B0NOkrtNxvRU5lHyHn9X7Gay0rMweTw4Bty7YorCE1pBfo679HN2Nod-2BfRWA-2FvzNVU6n0ycgVO9YFLntVOrRszMr10A-3DE-mj_xaXJc0NsC5WAXuVv6HNgzGH9nxkzD8xRdi-2BQVNVTAgV30zfSKc1z4I-2Bc6Qx1hEzdtXusfFTLvSScqQmgK1DgmCe6NsmhCnbLpmZI7EPM56c0IpOXy2jX8FUofqX-2FLwkrDNu-2BJ8VdkhW-2BcibVgB56YvBarWAJ68QdVLDk-2BreYFAbG2RxK5FI2ZOf8OuVaYqzfkm-2FGiI9tY4Y1XN-2FN7Uh8Vtzi-2FP-2B8s9qjOHBuznAYsq-2B4GCewCcJExgcNnMrLH-2B3Pv6vH6wzFQkN2aMTddwwaWvcIkZYQDF7aLn1FYUQMocCkCTJEmkArX-2Bdrge72rYVSFN-2FsI6AAcwN5SA74y-2B4g6Q-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.44
                                                                                                                                                                                                                                                                                                                                      http://vzgb5l.elnk8.com/83885021a686e36f9150aaf51cbc0afdhGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                      • 151.101.2.217
                                                                                                                                                                                                                                                                                                                                      ATGS-MMD-ASUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      rebirth.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                                                                                      • 57.162.2.122
                                                                                                                                                                                                                                                                                                                                      rebirth.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                                                                                      • 48.105.135.114
                                                                                                                                                                                                                                                                                                                                      sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                                                                                      • 48.183.87.136
                                                                                                                                                                                                                                                                                                                                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                                                                                      • 33.54.211.134
                                                                                                                                                                                                                                                                                                                                      sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                                                                                      • 48.133.95.30
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                                                                                      • 48.231.67.69
                                                                                                                                                                                                                                                                                                                                      arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                                                                                                      • 33.175.133.56

                                                                                                                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                      fb0aa01abe9d8e4037eb3473ca6e2dcafile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                      • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                      • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                      • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                      • 151.101.65.91
                                                                                                                                                                                                                                                                                                                                      • 34.120.208.123

                                                                                                                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                      Pl8Tb06C8A.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmpfile.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                          Pl8Tb06C8A.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse

                                                                                                                                                                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                                                                                                                                                                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_95ca756b-6fb2-4e22-ae97-847883f54411.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):7962
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.18441195247632
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:192:cSMXnTkcbhbVbTbfbRbObtbyEl7nArrJA6unSrDtTkdwSzA:cnYcNhnzFSJgri1nSrDhkdwJ
                                                                                                                                                                                                                                                                                                                                                                              MD5:962D207EC6AF96D66EF364CB3235F290
                                                                                                                                                                                                                                                                                                                                                                              SHA1:7D1FFEDE8FF7321B39F4BD7961990DEB3F31591D
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:020E4977C3FA7CAAA16011E9EC635ECB9673AB99417F6BDF4546B17F9C8A3007
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:E13ED85EAC2335E47814BF98F553AC5DF9D7BD7D9CBC732D37924668C5FFDAFD5EC2CE65E5C75D04D40D9F9732EB58144426E42F6A484855742D4982F3F2D9BF
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"type":"uninstall","id":"95ca756b-6fb2-4e22-ae97-847883f54411","creationDate":"2024-12-15T09:51:21.369Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"925ffdea-713b-4a0d-8648-4d4e3cf3260c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

                                                                                                                                                                                                                                                                                                                                                                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_95ca756b-6fb2-4e22-ae97-847883f54411.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):7962
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.18441195247632
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:192:cSMXnTkcbhbVbTbfbRbObtbyEl7nArrJA6unSrDtTkdwSzA:cnYcNhnzFSJgri1nSrDhkdwJ
                                                                                                                                                                                                                                                                                                                                                                              MD5:962D207EC6AF96D66EF364CB3235F290
                                                                                                                                                                                                                                                                                                                                                                              SHA1:7D1FFEDE8FF7321B39F4BD7961990DEB3F31591D
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:020E4977C3FA7CAAA16011E9EC635ECB9673AB99417F6BDF4546B17F9C8A3007
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:E13ED85EAC2335E47814BF98F553AC5DF9D7BD7D9CBC732D37924668C5FFDAFD5EC2CE65E5C75D04D40D9F9732EB58144426E42F6A484855742D4982F3F2D9BF
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"type":"uninstall","id":"95ca756b-6fb2-4e22-ae97-847883f54411","creationDate":"2024-12-15T09:51:21.369Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"925ffdea-713b-4a0d-8648-4d4e3cf3260c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.4593089050301797
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
                                                                                                                                                                                                                                                                                                                                                                              MD5:D910AD167F0217587501FDCDB33CC544
                                                                                                                                                                                                                                                                                                                                                                              SHA1:2F57441CEFDC781011B53C1C5D29AC54835AFC1D
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpaddon

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):453023
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):7.997718157581587
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
                                                                                                                                                                                                                                                                                                                                                                              MD5:85430BAED3398695717B0263807CF97C
                                                                                                                                                                                                                                                                                                                                                                              SHA1:FFFBEE923CEA216F50FCE5D54219A188A5100F41
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:PK.........bN...R..........gmpopenh264.dll..|.E.0.=..I.....1....4f1q.`.........q.....'+....h*m{.z..o_.{w........$..($A!...|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`...*.........ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\......*.....-i.K.I..4.a..6..*...Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N.*.}..).3.N%.!..q*........^I.m..~...6.#.~+.....A...I]r...x..*.<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..|c.1.cUkM.&.Qn]..a]t.h..*.!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\ExperimentStoreData.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4282
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.928642329351061
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:LtlL8S+OgPUFuWOdwNIOd4fOIjvYoLTRL+o8P:5lL8S+OYUIWOdwiOd6tjRHRL+o8P
                                                                                                                                                                                                                                                                                                                                                                              MD5:70F6FD46703096D12DE38181E7B68FCD
                                                                                                                                                                                                                                                                                                                                                                              SHA1:05E9047C5891C4249FB8C6656EFF85528E071298
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:B1F4107887166DF6EDACF5A950E6B5B44A59D7759D7D2BCA496075EF7DFA9DC3
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:8926E6BB8FDB02FD607E9457DB4A0EAD5E70A636F9893C006E8DF37B8AE05CA3B30F9AC2C1C71523EBC5540B365358441B2C533E847579DD801C3E816D480FB0
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"awesome-bar-result-menu-rollout-phase-1":{"slug":"awesome-bar-result-menu-rollout-phase-1","branch":{"slug":"control-rollout","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"resultMenu":true},"enabled":true,"featureId":"urlbar"}]},"active":true,"enrollmentId":"4a172078-7658-4e04-b71d-3ec1ff4a5bc8","experimentType":"rollout","source":"rs-loader","userFacingName":"Awesome Bar Result Menu Rollout (Phase 1)","userFacingDescription":"Testing out results menu options in the awesome bar.","lastSeen":"2023-10-05T09:02:05.924Z","featureIds":["urlbar"],"prefs":[],"isRollout":true},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"9002f3f3-8d5

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\ExperimentStoreData.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4282
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.928642329351061
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:LtlL8S+OgPUFuWOdwNIOd4fOIjvYoLTRL+o8P:5lL8S+OYUIWOdwiOd6tjRHRL+o8P
                                                                                                                                                                                                                                                                                                                                                                              MD5:70F6FD46703096D12DE38181E7B68FCD
                                                                                                                                                                                                                                                                                                                                                                              SHA1:05E9047C5891C4249FB8C6656EFF85528E071298
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:B1F4107887166DF6EDACF5A950E6B5B44A59D7759D7D2BCA496075EF7DFA9DC3
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:8926E6BB8FDB02FD607E9457DB4A0EAD5E70A636F9893C006E8DF37B8AE05CA3B30F9AC2C1C71523EBC5540B365358441B2C533E847579DD801C3E816D480FB0
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"awesome-bar-result-menu-rollout-phase-1":{"slug":"awesome-bar-result-menu-rollout-phase-1","branch":{"slug":"control-rollout","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"resultMenu":true},"enabled":true,"featureId":"urlbar"}]},"active":true,"enrollmentId":"4a172078-7658-4e04-b71d-3ec1ff4a5bc8","experimentType":"rollout","source":"rs-loader","userFacingName":"Awesome Bar Result Menu Rollout (Phase 1)","userFacingDescription":"Testing out results menu options in the awesome bar.","lastSeen":"2023-10-05T09:02:05.924Z","featureIds":["urlbar"],"prefs":[],"isRollout":true},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"9002f3f3-8d5

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addonStartup.json.lz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 26944 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):6071
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.616660085589534
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTat:7Tx2x2t0FDJ4NF6ILDfzjtedh6T2
                                                                                                                                                                                                                                                                                                                                                                              MD5:FE6BD3BB761E32FB710A2321524D3CC3
                                                                                                                                                                                                                                                                                                                                                                              SHA1:517AECEBF0580FE08AAA8DFCD42722B458EAD083
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:E2C4E6390738DEC403757230210E483B196DC2956769A24B5B217A1B9F8D5541
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D691556C773AA2C9C0CF80BABB7437A3D7415C08A5654E47584602BFC8624FFEBA788D58636C158164F897A2BBAB57E9CB633CB54D13418BF13B400F72495B5D
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."*://login.microsoftonline.com/*","..@us/*L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay*....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addonStartup.json.lz4.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 26944 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):6071
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.616660085589534
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTat:7Tx2x2t0FDJ4NF6ILDfzjtedh6T2
                                                                                                                                                                                                                                                                                                                                                                              MD5:FE6BD3BB761E32FB710A2321524D3CC3
                                                                                                                                                                                                                                                                                                                                                                              SHA1:517AECEBF0580FE08AAA8DFCD42722B458EAD083
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:E2C4E6390738DEC403757230210E483B196DC2956769A24B5B217A1B9F8D5541
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D691556C773AA2C9C0CF80BABB7437A3D7415C08A5654E47584602BFC8624FFEBA788D58636C158164F897A2BBAB57E9CB633CB54D13418BF13B400F72495B5D
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."*://login.microsoftonline.com/*","..@us/*L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay*....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addons.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):24
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):3.91829583405449
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:YWGifTJE6iHQ:YWGif9EE
                                                                                                                                                                                                                                                                                                                                                                              MD5:3088F0272D29FAA42ED452C5E8120B08
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"schema":6,"addons":[]}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addons.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):24
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):3.91829583405449
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:YWGifTJE6iHQ:YWGif9EE
                                                                                                                                                                                                                                                                                                                                                                              MD5:3088F0272D29FAA42ED452C5E8120B08
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"schema":6,"addons":[]}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):262144
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.04905141882491872
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
                                                                                                                                                                                                                                                                                                                                                                              MD5:8736A542C5564A922C47B19D9CC5E0F2
                                                                                                                                                                                                                                                                                                                                                                              SHA1:CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j......|....~.}.}z}-|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes\store.json.mozlz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 56 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):66
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.837595020998689
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
                                                                                                                                                                                                                                                                                                                                                                              MD5:A6338865EB252D0EF8FCF11FA9AF3F0D
                                                                                                                                                                                                                                                                                                                                                                              SHA1:CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes\store.json.mozlz4.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 56 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):66
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.837595020998689
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
                                                                                                                                                                                                                                                                                                                                                                              MD5:A6338865EB252D0EF8FCF11FA9AF3F0D
                                                                                                                                                                                                                                                                                                                                                                              SHA1:CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\extensions.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):36830
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.1867460354193025
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:768:fI40vfAXP4B6t4y4Tq4E4YFS8RM4Vi4cj45f444i4x:frFZRJw
                                                                                                                                                                                                                                                                                                                                                                              MD5:7B0C90FC9D725F1C1620EF90ECFE6CFA
                                                                                                                                                                                                                                                                                                                                                                              SHA1:2042AAAB0A72DB12C25AB4836691EE7059706A6B
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:89839AEC9AAEFD6E1755DD6BD7FB21E75E1F74364375EB6C35AB6C88398F5508
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:7F3E4E8CF53F4BB83D47C15A7E5ED0B83E3C907633B67BDA9750748E9FFB3954B435702C42AE1ACEB7ABC294DF8F94B737897A0FD479F054A433796283F6D2CF
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{d063e708-a05a-4089-963d-a0e071e9f0e3}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\extensions.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):36830
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.1867460354193025
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:768:fI40vfAXP4B6t4y4Tq4E4YFS8RM4Vi4cj45f444i4x:frFZRJw
                                                                                                                                                                                                                                                                                                                                                                              MD5:7B0C90FC9D725F1C1620EF90ECFE6CFA
                                                                                                                                                                                                                                                                                                                                                                              SHA1:2042AAAB0A72DB12C25AB4836691EE7059706A6B
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:89839AEC9AAEFD6E1755DD6BD7FB21E75E1F74364375EB6C35AB6C88398F5508
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:7F3E4E8CF53F4BB83D47C15A7E5ED0B83E3C907633B67BDA9750748E9FFB3954B435702C42AE1ACEB7ABC294DF8F94B737897A0FD479F054A433796283F6D2CF
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{d063e708-a05a-4089-963d-a0e071e9f0e3}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-shm

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                                                                                                                                                              MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                                                                                                                                                              SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1021904
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.648417932394748
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
                                                                                                                                                                                                                                                                                                                                                                              MD5:FE3355639648C417E8307C6D051E3E37
                                                                                                                                                                                                                                                                                                                                                                              SHA1:F54602D4B4778DA21BC97C7238FC66AA68C8EE34
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1021904
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.648417932394748
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
                                                                                                                                                                                                                                                                                                                                                                              MD5:FE3355639648C417E8307C6D051E3E37
                                                                                                                                                                                                                                                                                                                                                                              SHA1:F54602D4B4778DA21BC97C7238FC66AA68C8EE34
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):116
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.968220104601006
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
                                                                                                                                                                                                                                                                                                                                                                              MD5:3D33CDC0B3D281E67DD52E14435DD04F
                                                                                                                                                                                                                                                                                                                                                                              SHA1:4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):116
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.968220104601006
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
                                                                                                                                                                                                                                                                                                                                                                              MD5:3D33CDC0B3D281E67DD52E14435DD04F
                                                                                                                                                                                                                                                                                                                                                                              SHA1:4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):98304
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.07325191489741875
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
                                                                                                                                                                                                                                                                                                                                                                              MD5:88591F4EC3FB6DD1FCC3504D3BCD9587
                                                                                                                                                                                                                                                                                                                                                                              SHA1:9B8A23B9C6A599187FE8A0F415EBCD8BCCB57186
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:E960AD2A1D71AAB6195DA344422DCEBAB72C9B85191D891F3D97AABEAE2699A3
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:9F6108BDA6AF6E6A83F56571C717DCBBF5AAEECDB2A487529B6EE7CB3D3501EA93B52E32B1C1C263A144D3F56E1FFB06808FEB9229974AE64DA7D94292E7C05B
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.035455806264726504
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:GtlstF4ow8y61H79o/ltlstF4ow8y61H7l/lL89//alEl:GtWt6owj61biltWt6owj61btlL89XuM
                                                                                                                                                                                                                                                                                                                                                                              MD5:AA78B8DF2E54D3713A2722E63B6B1A27
                                                                                                                                                                                                                                                                                                                                                                              SHA1:EA0073AA034172877CFB80F27106BF96E2A70C20
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:B57A521B116DBC2E6B12D9D04CF66B0E1AF9C6B6F6AD5FA9345CE5A95A956489
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:201BFEAB3C157B66A127DFCEF0810E04A3A71F65A7FE5AEF9F1FB475A5EBDE0249B2497A079BF2ACFE5521E48187423B6D85CD6B6B425797B46BB8B06EB1D149
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:..-........................#..OW;..y3<.Ec.G..-W..-........................#..OW;..y3<.Ec.G..-W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):32824
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.03989725522705737
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:Ol1S1r30ehrZ1tYvYa7l8rEXsxdwhml8XW3R2:K01rxrZ1tEYwl8dMhm93w
                                                                                                                                                                                                                                                                                                                                                                              MD5:F1D968FB0FAF8F6670DCAA7B356EF4DD
                                                                                                                                                                                                                                                                                                                                                                              SHA1:378C549012FBF63A6047382A508BA90C56341091
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:CC7E1F1DCE89DA7A556E7699E4455E95EB1037C7E768446E3BD1ED0B4CE2F029
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:87DFA9425E116D01F0506489D4B43EFBCA7B2D3541B5B945C1133D10EA781FCC6852C5E2CFB8DB2ABC234E93FA2C796669A21918F89BF15E00C51AA11437D148
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:7....-..........;..y3<.x..NA1.l........;..y3<.#...WO..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs-1.js

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (1765), with CRLF line terminators
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):13209
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.479198382726626
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:192:eYgniR4lYbBp6zp0pUhUxaXs6Y4nysZM2geNWr5RlbBNBw8dNSl:UeaGpCU2Y4ysngKItpwm0
                                                                                                                                                                                                                                                                                                                                                                              MD5:D2999E1B4F5346AD4DF03101EA994637
                                                                                                                                                                                                                                                                                                                                                                              SHA1:E52A7038B3DEB8A22C6614050BCD9E5D2EEE18B4
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:17C355156506815CAD50F9EB690C54D40FA24525484120C2E1F841A78FAFBA45
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:577803B73A2D647C9A4347D51A5252509C11959C086DF1BC5BEB87B6A343F033FA1ACE17F87C8DA486F54F222789679A369484F4403D883F7973BD2C899F744E
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "d3d72102-142d-47cc-a7b7-5b20541f2540");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734256251);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734256251);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734256251);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173425

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (1765), with CRLF line terminators
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):13209
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.479198382726626
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:192:eYgniR4lYbBp6zp0pUhUxaXs6Y4nysZM2geNWr5RlbBNBw8dNSl:UeaGpCU2Y4ysngKItpwm0
                                                                                                                                                                                                                                                                                                                                                                              MD5:D2999E1B4F5346AD4DF03101EA994637
                                                                                                                                                                                                                                                                                                                                                                              SHA1:E52A7038B3DEB8A22C6614050BCD9E5D2EEE18B4
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:17C355156506815CAD50F9EB690C54D40FA24525484120C2E1F841A78FAFBA45
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:577803B73A2D647C9A4347D51A5252509C11959C086DF1BC5BEB87B6A343F033FA1ACE17F87C8DA486F54F222789679A369484F4403D883F7973BD2C899F744E
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "d3d72102-142d-47cc-a7b7-5b20541f2540");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734256251);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734256251);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734256251);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173425

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqlite

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):0.04062825861060003
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
                                                                                                                                                                                                                                                                                                                                                                              MD5:60C09456D6362C6FBED48C69AA342C3C
                                                                                                                                                                                                                                                                                                                                                                              SHA1:58B6E22DAA48C75958B429F662DEC1C011AE74D3
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\336a2be6-984d-4363-97a7-49c43fda1b1e (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):493
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.970029092931956
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12:YZFgf6tDOVbIVHlW8cOlZGV1AQIYzvZcyBuLZ0pW:Y1sSlCOlZGV1AQIWZcy6Z0M
                                                                                                                                                                                                                                                                                                                                                                              MD5:0A371793F6892BA5C8CBAFDA1DA29D9E
                                                                                                                                                                                                                                                                                                                                                                              SHA1:32C4D6378C25910F80AA0948E48D95A349D9BF7A
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:37B1045E360196271D15FE15BA70E1CBE47D9DF13F2D59B6CDB8274DCC0BEF78
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:6145A162D84065082EA8E34ED440A303F12A9CAB036080937B264EF0487B8B4E1FA1586D283744B921EEDC8F59835563FECD499029853F42974451CFB1E32311
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"type":"health","id":"336a2be6-984d-4363-97a7-49c43fda1b1e","creationDate":"2024-12-15T09:51:22.599Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"925ffdea-713b-4a0d-8648-4d4e3cf3260c"}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\336a2be6-984d-4363-97a7-49c43fda1b1e.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):493
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.970029092931956
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12:YZFgf6tDOVbIVHlW8cOlZGV1AQIYzvZcyBuLZ0pW:Y1sSlCOlZGV1AQIWZcy6Z0M
                                                                                                                                                                                                                                                                                                                                                                              MD5:0A371793F6892BA5C8CBAFDA1DA29D9E
                                                                                                                                                                                                                                                                                                                                                                              SHA1:32C4D6378C25910F80AA0948E48D95A349D9BF7A
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:37B1045E360196271D15FE15BA70E1CBE47D9DF13F2D59B6CDB8274DCC0BEF78
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:6145A162D84065082EA8E34ED440A303F12A9CAB036080937B264EF0487B8B4E1FA1586D283744B921EEDC8F59835563FECD499029853F42974451CFB1E32311
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"type":"health","id":"336a2be6-984d-4363-97a7-49c43fda1b1e","creationDate":"2024-12-15T09:51:22.599Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"925ffdea-713b-4a0d-8648-4d4e3cf3260c"}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionCheckpoints.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.194538242412464
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                                                                                                                                                                                              MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                                                                                                                                                                                              SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionCheckpoints.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):90
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.194538242412464
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                                                                                                                                                                                              MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                                                                                                                                                                                              SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\recovery.baklz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1568
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.3430873899203855
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:v+USUGlcAxS4yTxLXnIgr/pnxQwRlscT5sKHUP0m3RHVz80NTFamhujJUyRO1ddg:GUpOxmx9nRfvm3Rt/NTF4JU4gk
                                                                                                                                                                                                                                                                                                                                                                              MD5:99F987B96278B7380333B6CD729D94B3
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C4C095E7F47A95CED5045C9A41EA2E767CDB9F13
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:2AE4858816F5F291230AACAFDA78924D211B9A010E085FD6BCB6ADA498A7EBB2
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:15B6EAF34EF75222B2B47571C5A68C688B68D61583B1BCE1EBEDB5A247E98745E0A02B8A9873D3F617FB15BC246BCEECE4F00D3DF4EF62E9C5CCA75986F1E426
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{fc1f32d9-dd63-4ffd-b9e2-3d48332ac289}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734256254324,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...3a9a5720-bff5-4c6e-b4c6-310a980401cc","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..A2061...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...57690a852cf25691edcc5dba89528ccc77effc8490718525fd032e922bfe3184","pa..p"/","na..a"taarI|.Recure...,`.Donly..fexpiry...26597,"originA...."fi

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1568
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.3430873899203855
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:v+USUGlcAxS4yTxLXnIgr/pnxQwRlscT5sKHUP0m3RHVz80NTFamhujJUyRO1ddg:GUpOxmx9nRfvm3Rt/NTF4JU4gk
                                                                                                                                                                                                                                                                                                                                                                              MD5:99F987B96278B7380333B6CD729D94B3
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C4C095E7F47A95CED5045C9A41EA2E767CDB9F13
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:2AE4858816F5F291230AACAFDA78924D211B9A010E085FD6BCB6ADA498A7EBB2
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:15B6EAF34EF75222B2B47571C5A68C688B68D61583B1BCE1EBEDB5A247E98745E0A02B8A9873D3F617FB15BC246BCEECE4F00D3DF4EF62E9C5CCA75986F1E426
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{fc1f32d9-dd63-4ffd-b9e2-3d48332ac289}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734256254324,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...3a9a5720-bff5-4c6e-b4c6-310a980401cc","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..A2061...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...57690a852cf25691edcc5dba89528ccc77effc8490718525fd032e922bfe3184","pa..p"/","na..a"taarI|.Recure...,`.Donly..fexpiry...26597,"originA...."fi

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\recovery.jsonlz4.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):1568
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.3430873899203855
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:v+USUGlcAxS4yTxLXnIgr/pnxQwRlscT5sKHUP0m3RHVz80NTFamhujJUyRO1ddg:GUpOxmx9nRfvm3Rt/NTF4JU4gk
                                                                                                                                                                                                                                                                                                                                                                              MD5:99F987B96278B7380333B6CD729D94B3
                                                                                                                                                                                                                                                                                                                                                                              SHA1:C4C095E7F47A95CED5045C9A41EA2E767CDB9F13
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:2AE4858816F5F291230AACAFDA78924D211B9A010E085FD6BCB6ADA498A7EBB2
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:15B6EAF34EF75222B2B47571C5A68C688B68D61583B1BCE1EBEDB5A247E98745E0A02B8A9873D3F617FB15BC246BCEECE4F00D3DF4EF62E9C5CCA75986F1E426
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{fc1f32d9-dd63-4ffd-b9e2-3d48332ac289}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734256254324,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...3a9a5720-bff5-4c6e-b4c6-310a980401cc","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..A2061...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...57690a852cf25691edcc5dba89528ccc77effc8490718525fd032e922bfe3184","pa..p"/","na..a"taarI|.Recure...,`.Donly..fexpiry...26597,"originA...."fi

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqlite

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4096
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):2.0836444556178684
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
                                                                                                                                                                                                                                                                                                                                                                              MD5:8B40B1534FF0F4B533AF767EB5639A05
                                                                                                                                                                                                                                                                                                                                                                              SHA1:63EDB539EA39AD09D701A36B535C4C087AE08CC9
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\targeting.snapshot.json (copy)

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4537
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.030351406502499
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:48:YrSAYZuwUQZpExB1+anO9WJVhAUVlhWFzzc87YMsku7f86SLAVL7y45FtsfAcbyk:ycZjTEr5taFzzcHvbw6KkSirc2Rn27
                                                                                                                                                                                                                                                                                                                                                                              MD5:6F540A21859EB04696A89FFF3AF50CA5
                                                                                                                                                                                                                                                                                                                                                                              SHA1:5782D7C4FD9E4B093E2106E385E5373EB6966287
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:7F2A843195BC4EB69A69676FD06E9E81555AC6D222F49DC06AA6A23F134E11EB
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:FF55622947DD28115280AF2331A4C2EF2D9259E7D707AB867BF2A7F98E83B2C034AE9B4E74C43CDE01A4192142CF8D2E0E40DFCC624B5DC71530E28F0AD21A81
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-15T09:50:36.527Z","profileAgeCreated":1696496521804,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

                                                                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\targeting.snapshot.json.tmp

                                                                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                                                                              Size (bytes):4537
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.030351406502499
                                                                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:48:YrSAYZuwUQZpExB1+anO9WJVhAUVlhWFzzc87YMsku7f86SLAVL7y45FtsfAcbyk:ycZjTEr5taFzzcHvbw6KkSirc2Rn27
                                                                                                                                                                                                                                                                                                                                                                              MD5:6F540A21859EB04696A89FFF3AF50CA5
                                                                                                                                                                                                                                                                                                                                                                              SHA1:5782D7C4FD9E4B093E2106E385E5373EB6966287
                                                                                                                                                                                                                                                                                                                                                                              SHA-256:7F2A843195BC4EB69A69676FD06E9E81555AC6D222F49DC06AA6A23F134E11EB
                                                                                                                                                                                                                                                                                                                                                                              SHA-512:FF55622947DD28115280AF2331A4C2EF2D9259E7D707AB867BF2A7F98E83B2C034AE9B4E74C43CDE01A4192142CF8D2E0E40DFCC624B5DC71530E28F0AD21A81
                                                                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                                                                              Preview:{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-15T09:50:36.527Z","profileAgeCreated":1696496521804,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

                                                                                                                                                                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.692707893692249
                                                                                                                                                                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                                                                                                                              File name:6eftz6UKDm.exe
                                                                                                                                                                                                                                                                                                                                                                              File size:965'632 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5:2b1706b1a255a25718d22746c3ae418e
                                                                                                                                                                                                                                                                                                                                                                              SHA1:dedb5907b8746c76ad5bc264e05e06784447dcdd
                                                                                                                                                                                                                                                                                                                                                                              SHA256:6c07d9e629e0b333fb62691c0a8c21e63e6c8da54a7e02fb387d6aec8fd031e0
                                                                                                                                                                                                                                                                                                                                                                              SHA512:9cc859600e150d2161bd3761b7ccca902c3f2298659c27e7909f13498788e2eadfdb15dc2b4a8985a561740f1a1a0ec5c3834e388abfd08bd9040085b35fb31d
                                                                                                                                                                                                                                                                                                                                                                              SSDEEP:12288:BqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaGlS4T:BqDEvCTbMWu7rQYlBQcBiT6rprG8aQR
                                                                                                                                                                                                                                                                                                                                                                              TLSH:98259E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
                                                                                                                                                                                                                                                                                                                                                                              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                                                                                                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                                                                                                                                                                              Icon Hash:aaf3e3e3938382a0

                                                                                                                                                                                                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Entrypoint:0x420577
                                                                                                                                                                                                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                                                                                                                              Time Stamp:0x675E6F27 [Sun Dec 15 05:54:47 2024 UTC]
                                                                                                                                                                                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                                                                                                                                                                                              OS Version Major:5
                                                                                                                                                                                                                                                                                                                                                                              OS Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                              File Version Major:5
                                                                                                                                                                                                                                                                                                                                                                              File Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                                                                                                                                                                                                                                              Subsystem Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                              Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                                                                                                                                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                                                                                                                                                                                              call 00007F2F20B4B563h
                                                                                                                                                                                                                                                                                                                                                                              jmp 00007F2F20B4AE6Fh
                                                                                                                                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                                                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                              mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                              call 00007F2F20B4B04Dh
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [esi], 0049FDF0h
                                                                                                                                                                                                                                                                                                                                                                              mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                              pop esi
                                                                                                                                                                                                                                                                                                                                                                              pop ebp
                                                                                                                                                                                                                                                                                                                                                                              retn 0004h
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              mov eax, ecx
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx+04h], 0049FDF8h
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx], 0049FDF0h
                                                                                                                                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                                                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                              mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                              call 00007F2F20B4B01Ah
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [esi], 0049FE0Ch
                                                                                                                                                                                                                                                                                                                                                                              mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                              pop esi
                                                                                                                                                                                                                                                                                                                                                                              pop ebp
                                                                                                                                                                                                                                                                                                                                                                              retn 0004h
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              mov eax, ecx
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx+04h], 0049FE14h
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx], 0049FE0Ch
                                                                                                                                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                                                                                                                                                                              mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                              lea eax, dword ptr [esi+04h]
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [esi], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [eax], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              and dword ptr [eax+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                              push eax
                                                                                                                                                                                                                                                                                                                                                                              mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                              add eax, 04h
                                                                                                                                                                                                                                                                                                                                                                              push eax
                                                                                                                                                                                                                                                                                                                                                                              call 00007F2F20B4DC0Dh
                                                                                                                                                                                                                                                                                                                                                                              pop ecx
                                                                                                                                                                                                                                                                                                                                                                              pop ecx
                                                                                                                                                                                                                                                                                                                                                                              mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                              pop esi
                                                                                                                                                                                                                                                                                                                                                                              pop ebp
                                                                                                                                                                                                                                                                                                                                                                              retn 0004h
                                                                                                                                                                                                                                                                                                                                                                              lea eax, dword ptr [ecx+04h]
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [ecx], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                              push eax
                                                                                                                                                                                                                                                                                                                                                                              call 00007F2F20B4DC58h
                                                                                                                                                                                                                                                                                                                                                                              pop ecx
                                                                                                                                                                                                                                                                                                                                                                              ret
                                                                                                                                                                                                                                                                                                                                                                              push ebp
                                                                                                                                                                                                                                                                                                                                                                              mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                                                                                                                                                                              mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                              lea eax, dword ptr [esi+04h]
                                                                                                                                                                                                                                                                                                                                                                              mov dword ptr [esi], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                              push eax
                                                                                                                                                                                                                                                                                                                                                                              call 00007F2F20B4DC41h
                                                                                                                                                                                                                                                                                                                                                                              test byte ptr [ebp+08h], 00000001h
                                                                                                                                                                                                                                                                                                                                                                              pop ecx

                                                                                                                                                                                                                                                                                                                                                                              Rich Headers

                                                                                                                                                                                                                                                                                                                                                                              Programming Language:
                                                                                                                                                                                                                                                                                                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                                                                                                                                              • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                                                                                                                                                              Data Directories

                                                                                                                                                                                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x15148.rsrc
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000x7594.reloc
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                                                                                                                              Sections

                                                                                                                                                                                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                                                                                                                              .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                              .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                              .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                                                                                                                              .rsrc0xd40000x151480x15200bf272914b86bda4592c5e3fd23b6e1e8False0.6863443047337278data7.109687985694455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                              .reloc0xea0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                                                                                                                                              Resources

                                                                                                                                                                                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd45f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd47180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd48400x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd49680x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd4c500x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd4d780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd5c200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd64c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd6a300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xd8fd80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                                                                                                                                                                                                                                                              RT_ICON0xda0800x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                                                                                                                                                                                                                                                              RT_MENU0xda4e80x50dataEnglishGreat Britain0.9
                                                                                                                                                                                                                                                                                                                                                                              RT_DIALOG0xda5380xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xda6340x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdabc80x68adataEnglishGreat Britain0.2735961768219833
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdb2540x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdb6e40x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdbce00x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdc33c0x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                                                                                                                                                                                                                                              RT_STRING0xdc7a40x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                                                                                                                                                                                                                                              RT_RCDATA0xdc8fc0xc2cadata1.0005213973448843
                                                                                                                                                                                                                                                                                                                                                                              RT_GROUP_ICON0xe8bc80x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                                                                                                                                                                                                                                                              RT_GROUP_ICON0xe8c400x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                                                                                                                                                                              RT_GROUP_ICON0xe8c540x14dataEnglishGreat Britain1.15
                                                                                                                                                                                                                                                                                                                                                                              RT_GROUP_ICON0xe8c680x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                                                                                                                                                                              RT_VERSION0xe8c7c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                                                                                                                                                                                                                                              RT_MANIFEST0xe8d580x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                                                                                                                                                                                                                                                                              Imports

                                                                                                                                                                                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                                                                                                                                                                                              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                                                                                                                                                                                                                                                                                                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                                                                                                                                                                                                                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                                                                                                                                                                                                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                                                                                                                                                                                                                                                              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                                                                                                                                                                                                                                                                                                              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                                                                                                                                                                                                                                                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                                                                                                                                                                                                                                              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                                                                                                                                                                                                                                                                                                              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                                                                                                                                                                                                                                                                                                              UxTheme.dllIsThemeActive
                                                                                                                                                                                                                                                                                                                                                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                                                                                                                                                                                                                                                                                                              USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                                                                                                                                                                                                                                                                                                              GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                                                                                                                                                                                                                                                                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                                                                                                                                                                                                                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                                                                                                                                                                                                                                                                                                              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                                                                                                                                                                                                                                                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                                                                                                                                                                                                                                                                              OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                                                                                                                                                                                                                                                                                                              Possible Origin

                                                                                                                                                                                                                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                                                                                                                              EnglishGreat Britain

                                                                                                                                                                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.141850948 CET4973480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.142870903 CET49735443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.142935991 CET44349735142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.142986059 CET49736443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.143014908 CET44349736142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.143280029 CET49735443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.143295050 CET49736443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.143362045 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.143387079 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.143616915 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.148299932 CET49735443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.148314953 CET44349735142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.149765015 CET49736443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.149774075 CET44349736142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.151356936 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.151371002 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.261698008 CET804973434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.268779993 CET4973480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.269000053 CET4973480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.387074947 CET49738443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.387125015 CET4434973834.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.387232065 CET49739443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.387238979 CET4434973935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.388801098 CET804973434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.388957024 CET49738443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.389121056 CET49739443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.390671968 CET49738443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.390690088 CET4434973834.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.390793085 CET49739443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.390803099 CET4434973935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.581352949 CET49740443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.581409931 CET4434974034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.581523895 CET49740443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.583029985 CET49740443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.583053112 CET4434974034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.078458071 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.078500032 CET4434974634.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.078875065 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.079021931 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.079029083 CET4434974634.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.354918957 CET804973434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.368594885 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.368760109 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.410367966 CET4973480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.410772085 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.410772085 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.410797119 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.411081076 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.411303997 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.606759071 CET4434973935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.607146025 CET49739443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.610214949 CET49739443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.610228062 CET4434973935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.610487938 CET4434973935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.612632990 CET49739443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.612730980 CET49739443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.612783909 CET4434973935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.612878084 CET49739443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.615463972 CET4434973834.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.616091967 CET49738443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.619585991 CET49738443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.619594097 CET4434973834.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.619709969 CET49738443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.619856119 CET4434973834.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.620109081 CET49747443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.620143890 CET4434974734.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.623882055 CET49738443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.623928070 CET49747443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.625341892 CET49747443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.625358105 CET4434974734.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.810162067 CET4434974034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.810235977 CET49740443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.814779997 CET49740443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.814794064 CET4434974034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.814866066 CET49740443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.815027952 CET4434974034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.815126896 CET49740443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.843698025 CET44349735142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.844082117 CET4974880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.844423056 CET44349735142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.844480991 CET49735443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.844496012 CET44349735142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.845705032 CET49735443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.846334934 CET44349736142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.847032070 CET44349736142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.849059105 CET49735443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.849064112 CET44349735142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.849149942 CET49735443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.849283934 CET44349735142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.849304914 CET49736443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.849330902 CET44349736142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.850311041 CET49735443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.853605986 CET49736443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.853621006 CET44349736142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.853671074 CET49736443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.853900909 CET44349736142.250.181.78192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.854067087 CET49736443192.168.2.9142.250.181.78
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.963761091 CET804974834.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.968012094 CET4974880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.976893902 CET4974880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.096673965 CET804974834.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.277689934 CET4973480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.293493986 CET4434974634.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.297739983 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.302807093 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.302829981 CET4434974634.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.303286076 CET4434974634.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.308413029 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.308581114 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.308640003 CET4434974634.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.315072060 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.315072060 CET49746443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.400156975 CET804973434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.400283098 CET4973480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.841542006 CET4434974734.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.841746092 CET49747443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.847518921 CET49747443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.847546101 CET4434974734.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.847595930 CET49747443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.847701073 CET4434974734.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.847753048 CET49747443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.917665958 CET49750443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.917706013 CET4434975034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.918920994 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.919884920 CET49750443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.921295881 CET49750443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:33.921314955 CET4434975034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.038990974 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.042258024 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.042443037 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.053467035 CET804974834.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.070338964 CET4974880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.162256002 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.190376043 CET804974834.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.191940069 CET4974880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.599344015 CET49758443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.599412918 CET4434975834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.599773884 CET49758443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.601186037 CET49758443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.601207972 CET4434975834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.608449936 CET49759443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.608483076 CET4434975934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.608560085 CET49759443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.609903097 CET49759443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.609914064 CET4434975934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.625242949 CET49760443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.625277042 CET4434976034.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.625766039 CET49760443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.627108097 CET49760443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.627118111 CET4434976034.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.128276110 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.138854027 CET4434975034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.138925076 CET49750443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.143166065 CET49750443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.143182039 CET4434975034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.143296957 CET49750443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.143356085 CET4434975034.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.143713951 CET49762443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.143759966 CET4434976234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.143779039 CET49750443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.143978119 CET49762443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.145385981 CET49762443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.145401001 CET4434976234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.169147015 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.819653034 CET4434975834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.819736958 CET49758443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.824215889 CET49758443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.824227095 CET4434975834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.824269056 CET49758443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.824541092 CET4434975834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.824609041 CET49758443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.826893091 CET4434975934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.826967955 CET49759443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.831336975 CET49759443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.831355095 CET4434975934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.831429005 CET49759443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.831486940 CET4434975934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.831537008 CET49759443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.845761061 CET4434976034.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.845942974 CET49760443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.850423098 CET49760443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.850434065 CET4434976034.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.850486994 CET49760443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.850617886 CET4434976034.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.850997925 CET49760443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:36.370585918 CET4434976234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:36.370682001 CET49762443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:36.375869989 CET49762443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:36.375885963 CET4434976234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:36.375976086 CET49762443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:36.376065016 CET4434976234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:36.376118898 CET49762443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.174849987 CET4976880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.290340900 CET49769443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.290394068 CET4434976935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.293431997 CET49769443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.293550014 CET49769443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.293557882 CET4434976935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.294666052 CET804976834.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.309216022 CET4976880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.309531927 CET4976880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.429842949 CET804976834.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.445396900 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.449703932 CET49770443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.449759007 CET4434977034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.455173969 CET49770443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.460414886 CET49770443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.460447073 CET4434977034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.566629887 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.596313000 CET49771443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.596369028 CET4434977134.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.604886055 CET49771443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.606904030 CET49771443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.606920004 CET4434977134.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.761118889 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.816097021 CET4976880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.816468954 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.865084887 CET49772443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.865150928 CET4434977234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.877142906 CET49772443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.877414942 CET49772443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.877432108 CET4434977234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.979285955 CET804976834.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.201735020 CET804976834.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.203471899 CET4976880192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.504507065 CET4434976935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.504734993 CET49769443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.507750034 CET49769443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.507755995 CET4434976935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.507952929 CET4434976935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.510396004 CET49769443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.510479927 CET49769443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.510502100 CET4434976935.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.510546923 CET49769443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.672538042 CET4434977034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.675254107 CET49770443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.678256035 CET49770443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.678271055 CET4434977034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.678504944 CET4434977034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.680856943 CET49770443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.680988073 CET4434977034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.680998087 CET49770443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.681013107 CET4434977034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.681037903 CET49770443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.818566084 CET4434977134.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.818584919 CET4434977134.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.818655014 CET49771443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.823426962 CET49771443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.823437929 CET4434977134.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.823543072 CET49771443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.823604107 CET4434977134.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:38.823705912 CET49771443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.089023113 CET4434977234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.089040995 CET4434977234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.089102030 CET49772443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.093964100 CET49772443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.093981981 CET4434977234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.094218969 CET4434977234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.098021984 CET49772443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.098179102 CET4434977234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.098191023 CET49772443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.098201036 CET4434977234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:39.098229885 CET49772443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:40.784750938 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:40.904680967 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:40.904767036 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:40.904972076 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:41.024739027 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:41.916656971 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:41.991369963 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.036684036 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.038177967 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.145231009 CET49785443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.145296097 CET4434978534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.148796082 CET49785443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.150224924 CET49785443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.150263071 CET4434978534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.232301950 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.235975981 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.285623074 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.294138908 CET49786443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.294193029 CET4434978634.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.294538021 CET49786443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.295955896 CET49786443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.295974016 CET4434978634.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.355844975 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.551361084 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.595022917 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.362219095 CET4434978534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.366245985 CET49785443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.370053053 CET49785443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.370066881 CET4434978534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.370150089 CET49785443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.370307922 CET4434978534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.370372057 CET49785443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.413935900 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.511982918 CET4434978634.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.512069941 CET49786443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.533886909 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.732090950 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.786359072 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.931874037 CET49786443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.931915045 CET4434978634.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.931953907 CET49786443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.932168961 CET4434978634.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.932240963 CET49786443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.990135908 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.991127014 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.111464977 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.111485958 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.305140018 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.306471109 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.356930017 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.357399940 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.446717024 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.568407059 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.761573076 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.805011988 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:53.992034912 CET49817443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:53.992095947 CET4434981734.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:53.992229939 CET49817443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:53.993772030 CET49817443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:53.993796110 CET4434981734.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:54.318547010 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:54.438958883 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:54.773140907 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:54.892832994 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.204793930 CET4434981734.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.204883099 CET49817443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.213023901 CET49817443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.213023901 CET49817443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.213064909 CET4434981734.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.213244915 CET4434981734.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.213570118 CET49817443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.214107990 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.333704948 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.528979063 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.532370090 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.575443983 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.652476072 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.847007990 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.891956091 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.308257103 CET49828443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.308301926 CET4434982835.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.311635017 CET49828443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.311923981 CET49828443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.311949968 CET4434982835.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.335971117 CET49829443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.336013079 CET4434982934.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.337181091 CET49829443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.337379932 CET49829443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.337424994 CET4434982934.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.339970112 CET49830443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.339993954 CET4434983035.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.345875978 CET49830443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.347558975 CET49830443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.347580910 CET4434983035.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.549706936 CET49831443192.168.2.9151.101.65.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.549755096 CET44349831151.101.65.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.550156116 CET49831443192.168.2.9151.101.65.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.550287962 CET49831443192.168.2.9151.101.65.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.550302029 CET44349831151.101.65.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.665081978 CET49832443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.665138006 CET4434983235.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.665354967 CET49832443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.666805983 CET49832443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.666820049 CET4434983235.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.522680044 CET4434982835.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.522762060 CET49828443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.526298046 CET49828443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.526308060 CET4434982835.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.526566982 CET4434982835.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.529196024 CET49828443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.529289007 CET49828443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.529356956 CET4434982835.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.529898882 CET49828443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.533345938 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.547894001 CET4434982934.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.547983885 CET49829443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.551176071 CET49829443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.551204920 CET4434982934.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.551434994 CET4434982934.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.553841114 CET49829443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.553921938 CET49829443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.553999901 CET4434982934.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.555160046 CET49829443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.561959028 CET4434983035.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.562033892 CET49830443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.566603899 CET49830443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.566633940 CET4434983035.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.566690922 CET49830443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.566801071 CET4434983035.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.567127943 CET49830443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.653404951 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.762846947 CET44349831151.101.65.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.762933969 CET49831443192.168.2.9151.101.65.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.766349077 CET49831443192.168.2.9151.101.65.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.766359091 CET44349831151.101.65.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.766645908 CET44349831151.101.65.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.769037008 CET49831443192.168.2.9151.101.65.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.769133091 CET49831443192.168.2.9151.101.65.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.769232988 CET44349831151.101.65.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.772094965 CET49831443192.168.2.9151.101.65.91
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.777559042 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.777601004 CET4434983435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.777791023 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.777915001 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.777930975 CET4434983435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.779659986 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.779694080 CET4434983535.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.779938936 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.780062914 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.780070066 CET4434983535.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.782033920 CET49836443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.782075882 CET4434983635.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.782274008 CET49836443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.782351971 CET49836443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.782363892 CET4434983635.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.848192930 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.863452911 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.882994890 CET4434983235.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.883353949 CET49832443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.887526035 CET49832443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.887541056 CET4434983235.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.887614965 CET49832443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.887728930 CET4434983235.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.887841940 CET49832443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.890352964 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.900604963 CET49837443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.900672913 CET4434983734.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.900748968 CET49837443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.900903940 CET49837443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.900918007 CET4434983734.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.983294964 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.010304928 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.178385973 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.205632925 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.212281942 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.251411915 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.333363056 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.527203083 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.574476957 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.671772003 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.793315887 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.988086939 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.988615036 CET4434983435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.989795923 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.991172075 CET4434983535.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.991328955 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.993954897 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.993973017 CET4434983435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.994152069 CET4434983635.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.994271040 CET4434983435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.994313955 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.997776985 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.997798920 CET4434983535.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.998080015 CET4434983535.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.999330997 CET4434983635.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.001218081 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.001322985 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.001421928 CET4434983435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.002145052 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.002257109 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.002300024 CET4434983535.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.002624989 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.002645969 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.002661943 CET49836443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.002665043 CET49834443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.006005049 CET49836443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.006022930 CET4434983635.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.006310940 CET4434983635.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.006917000 CET49835443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.010761023 CET49836443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.010853052 CET49836443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.010951042 CET4434983635.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.011498928 CET49836443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.012653112 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.111689091 CET4434983734.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.111800909 CET49837443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.115286112 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.116261005 CET49837443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.116274118 CET4434983734.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.116559982 CET4434983734.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.119048119 CET49837443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.119204998 CET49837443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.119226933 CET4434983734.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.119692087 CET49837443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.132353067 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.310156107 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.327533007 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.333198071 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.376864910 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.452977896 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.647847891 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.693361998 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:11.339679003 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:11.459497929 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:11.656191111 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:11.776123047 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.778151989 CET49878443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.778198957 CET4434987834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.778542042 CET49878443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.780030966 CET49878443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.780042887 CET4434987834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.990098953 CET4434987834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.990200043 CET49878443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.994999886 CET49878443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.995004892 CET4434987834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.995088100 CET49878443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.995208025 CET4434987834.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.995943069 CET49878443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.997714043 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.117554903 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.312721014 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.316502094 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.360394001 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.436222076 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.630717993 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.673959017 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:27.316020966 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:27.435708046 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:27.632528067 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:27.752269030 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828366995 CET49909443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828490019 CET4434990934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828516960 CET49910443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828598976 CET49909443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828620911 CET4434991034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828730106 CET49909443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828753948 CET4434990934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828818083 CET49910443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828937054 CET49910443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.828988075 CET4434991034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.041397095 CET4434991034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.041522980 CET49910443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.041574955 CET4434990934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.041647911 CET49909443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.044847965 CET49910443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.044861078 CET4434991034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.045160055 CET4434991034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.047346115 CET49909443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.047354937 CET4434990934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.047689915 CET4434990934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.050717115 CET49910443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.050848961 CET49910443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.050962925 CET4434991034.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.051101923 CET49909443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.051166058 CET49909443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.051290035 CET4434990934.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.051311016 CET49910443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.051374912 CET49909443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.055512905 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.058384895 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.058417082 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.058691978 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.058800936 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.058815002 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.066982985 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.067025900 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.067373991 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.067492962 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.067507029 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.069976091 CET49915443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.070020914 CET4434991534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.070126057 CET49915443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.070228100 CET49915443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.070240974 CET4434991534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.175457001 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.370487928 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.374300957 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.425358057 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.494010925 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.688791990 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.741839886 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.270139933 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.270241976 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.273696899 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.273708105 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.273969889 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.276514053 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.276650906 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.276674986 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.277498007 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.279397964 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.281114101 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.281841993 CET4434991534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.281896114 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.282156944 CET49915443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.284359932 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.284377098 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.284646034 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.286951065 CET49915443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.286959887 CET4434991534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.287252903 CET4434991534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.290669918 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.290669918 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.290740967 CET49915443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.290793896 CET49915443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.290971994 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.291125059 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.291402102 CET4434991534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.291471004 CET49915443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.399097919 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.594022036 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.599042892 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.644529104 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.718816996 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.913476944 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.961081028 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:41.610430956 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:41.817126989 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:41.926816940 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:42.046797037 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:51.843013048 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:51.962985039 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:52.057125092 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:52.177890062 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.737706900 CET49979443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.737751007 CET4434997934.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.737895966 CET49979443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.742036104 CET49979443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.742053986 CET4434997934.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.952053070 CET4434997934.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.952234983 CET49979443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.957214117 CET49979443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.957233906 CET4434997934.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.957329035 CET49979443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.957472086 CET4434997934.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.958224058 CET49979443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.960158110 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.079849958 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.276022911 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.279994011 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.324985981 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.399758101 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.594347000 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.641458035 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:09.291501999 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:09.411374092 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:09.608042002 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:09.727823973 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:19.422059059 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:19.639588118 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:19.738691092 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:19.880295992 CET804978434.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:29.640727043 CET4975180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:29.761012077 CET804975134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:29.894720078 CET4978480192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:30.014501095 CET804978434.107.221.82192.168.2.9

                                                                                                                                                                                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.001981020 CET5582153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.002255917 CET5734053192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.140283108 CET53573401.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.142072916 CET6402653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.144001961 CET5882953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.144704103 CET5502053192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.224437952 CET5929653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.279618025 CET53640261.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.280965090 CET6091953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.282011032 CET53550201.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.283226013 CET53588291.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.286238909 CET5187553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.286667109 CET6287853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.362407923 CET53592961.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.417968035 CET53609191.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.423573971 CET53518751.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.427392960 CET53628781.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.440603971 CET5858253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.441323042 CET5505053192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.441765070 CET5372853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.578465939 CET53585821.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.578773975 CET53550501.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.579190016 CET53537281.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.580195904 CET4971953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.580296040 CET6135153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.581453085 CET6255053192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.717973948 CET53497191.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.718198061 CET53613511.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.721005917 CET53625501.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.726001024 CET5249253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.863761902 CET53524921.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.927709103 CET6034653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.065119028 CET53603461.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.080050945 CET6109353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.217386961 CET53610931.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.218332052 CET5802053192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.356036901 CET53580201.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.404454947 CET6023153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.404901028 CET5770253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.542184114 CET53602311.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.542566061 CET53577021.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.698990107 CET5127353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.054323912 CET6078853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.176233053 CET5923253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.314126015 CET53592321.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.322300911 CET5486553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.459803104 CET53548651.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.460566044 CET5429953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.485980034 CET5498453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.598550081 CET53542991.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.608762026 CET6120253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.624110937 CET53549841.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.625711918 CET6129553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.739334106 CET53584491.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.747987986 CET53612021.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.763216019 CET53612951.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.770697117 CET6296553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.770932913 CET5635853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.908025980 CET53563581.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.908107996 CET53629651.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.143124104 CET5219153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.171231031 CET6018153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.285897970 CET53521911.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.290817022 CET5613253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.309849024 CET53601811.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.313246012 CET5256253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.451524019 CET53525621.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.461281061 CET6338953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.542692900 CET53561321.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.600581884 CET53633891.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.147181988 CET5708953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.154973984 CET5242553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.286990881 CET53570891.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.292416096 CET53524251.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.293498993 CET5434053192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.431535006 CET53543401.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.617247105 CET6235753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.617357016 CET5717253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.617528915 CET5304553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757400990 CET53571721.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET53623571.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.758373022 CET6398153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.758441925 CET53530451.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.758512020 CET5343453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.759083986 CET5853153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895673990 CET53639811.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET53534341.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.896429062 CET6073653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.896477938 CET5775453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.898406982 CET53585311.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.899017096 CET6342353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.034533024 CET53577541.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.035427094 CET5242153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.035944939 CET53607361.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.036709070 CET5295253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.036715031 CET53634231.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.173266888 CET53524211.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.174323082 CET53529521.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.375720978 CET6437353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.377592087 CET6419853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.513484001 CET53643731.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.514336109 CET6223453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.514631987 CET53641981.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.515243053 CET5830853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.652107000 CET53622341.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.652759075 CET53583081.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:53.992691040 CET5550953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:54.130630016 CET53555091.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.308644056 CET5447053192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.328146935 CET6174553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.340703964 CET5822153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.445888042 CET53544701.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.548660040 CET53617451.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.550101042 CET5759953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.663783073 CET53582211.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.665287971 CET5146453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.688071012 CET53575991.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.688839912 CET6181453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.826579094 CET53618141.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.870954037 CET53514641.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.875426054 CET5503853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.012686968 CET53550381.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.639589071 CET6350353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.777054071 CET53635031.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.778395891 CET4995653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.916845083 CET53499561.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.997950077 CET5167553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.829030991 CET5199953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.966481924 CET53519991.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.055912018 CET5348253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.595383883 CET5503853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.732924938 CET53550381.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.734493971 CET6030653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.871356010 CET53603061.1.1.1192.168.2.9

                                                                                                                                                                                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.001981020 CET192.168.2.91.1.1.10x6f01Standard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.002255917 CET192.168.2.91.1.1.10x59ebStandard query (0)youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.142072916 CET192.168.2.91.1.1.10xfcebStandard query (0)prod.detectportal.prod.cloudops.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.144001961 CET192.168.2.91.1.1.10x8a88Standard query (0)youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.144704103 CET192.168.2.91.1.1.10xfedcStandard query (0)prod.classify-client.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.224437952 CET192.168.2.91.1.1.10x759fStandard query (0)contile.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.280965090 CET192.168.2.91.1.1.10x2c83Standard query (0)prod.detectportal.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.286238909 CET192.168.2.91.1.1.10x7a6cStandard query (0)youtube.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.286667109 CET192.168.2.91.1.1.10x3b0cStandard query (0)prod.classify-client.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.440603971 CET192.168.2.91.1.1.10x4e91Standard query (0)prod.balrog.prod.cloudops.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.441323042 CET192.168.2.91.1.1.10xbb36Standard query (0)contile.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.441765070 CET192.168.2.91.1.1.10xb499Standard query (0)spocs.getpocket.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.580195904 CET192.168.2.91.1.1.10x4db4Standard query (0)prod.balrog.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.580296040 CET192.168.2.91.1.1.10xa001Standard query (0)contile.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.581453085 CET192.168.2.91.1.1.10xfaa4Standard query (0)prod.ads.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.726001024 CET192.168.2.91.1.1.10xa91Standard query (0)prod.ads.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.927709103 CET192.168.2.91.1.1.10xce60Standard query (0)content-signature-2.cdn.mozilla.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.080050945 CET192.168.2.91.1.1.10x7fb8Standard query (0)prod.content-signature-chains.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.218332052 CET192.168.2.91.1.1.10x9f30Standard query (0)prod.content-signature-chains.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.404454947 CET192.168.2.91.1.1.10x98b3Standard query (0)example.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.404901028 CET192.168.2.91.1.1.10xfea6Standard query (0)ipv4only.arpaA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.698990107 CET192.168.2.91.1.1.10x47aaStandard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.054323912 CET192.168.2.91.1.1.10xa4e9Standard query (0)shavar.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.176233053 CET192.168.2.91.1.1.10x850fStandard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.322300911 CET192.168.2.91.1.1.10x33dStandard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.460566044 CET192.168.2.91.1.1.10x6a53Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.485980034 CET192.168.2.91.1.1.10x1afcStandard query (0)firefox.settings.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.608762026 CET192.168.2.91.1.1.10x489dStandard query (0)telemetry-incoming.r53-2.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.625711918 CET192.168.2.91.1.1.10x5a0aStandard query (0)prod.remote-settings.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.770697117 CET192.168.2.91.1.1.10x576cStandard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.770932913 CET192.168.2.91.1.1.10x25e8Standard query (0)prod.remote-settings.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.143124104 CET192.168.2.91.1.1.10x6f3Standard query (0)support.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.171231031 CET192.168.2.91.1.1.10x829eStandard query (0)prod.balrog.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.290817022 CET192.168.2.91.1.1.10xf27eStandard query (0)prod.balrog.prod.cloudops.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.313246012 CET192.168.2.91.1.1.10x972eStandard query (0)us-west1.prod.sumo.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.461281061 CET192.168.2.91.1.1.10x5efbStandard query (0)us-west1.prod.sumo.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.147181988 CET192.168.2.91.1.1.10x4a26Standard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.154973984 CET192.168.2.91.1.1.10x1b47Standard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.293498993 CET192.168.2.91.1.1.10x834bStandard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.617247105 CET192.168.2.91.1.1.10xf82cStandard query (0)www.youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.617357016 CET192.168.2.91.1.1.10x7e51Standard query (0)www.facebook.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.617528915 CET192.168.2.91.1.1.10x7a6cStandard query (0)www.wikipedia.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.758373022 CET192.168.2.91.1.1.10x1a54Standard query (0)star-mini.c10r.facebook.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.758512020 CET192.168.2.91.1.1.10x1a9eStandard query (0)youtube-ui.l.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.759083986 CET192.168.2.91.1.1.10x5241Standard query (0)dyna.wikimedia.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.896429062 CET192.168.2.91.1.1.10x5d64Standard query (0)star-mini.c10r.facebook.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.896477938 CET192.168.2.91.1.1.10xb142Standard query (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.899017096 CET192.168.2.91.1.1.10x467aStandard query (0)dyna.wikimedia.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.035427094 CET192.168.2.91.1.1.10xc46bStandard query (0)www.reddit.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.036709070 CET192.168.2.91.1.1.10xfd87Standard query (0)twitter.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.375720978 CET192.168.2.91.1.1.10x40ecStandard query (0)reddit.map.fastly.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.377592087 CET192.168.2.91.1.1.10x324Standard query (0)twitter.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.514336109 CET192.168.2.91.1.1.10xa4ceStandard query (0)reddit.map.fastly.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.515243053 CET192.168.2.91.1.1.10x2c6Standard query (0)twitter.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:53.992691040 CET192.168.2.91.1.1.10xe602Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.308644056 CET192.168.2.91.1.1.10xe074Standard query (0)prod.balrog.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.328146935 CET192.168.2.91.1.1.10x47d5Standard query (0)services.addons.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.340703964 CET192.168.2.91.1.1.10xbcf8Standard query (0)normandy.cdn.mozilla.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.550101042 CET192.168.2.91.1.1.10xd9cbStandard query (0)services.addons.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.665287971 CET192.168.2.91.1.1.10x966Standard query (0)normandy-cdn.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.688839912 CET192.168.2.91.1.1.10x619bStandard query (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.875426054 CET192.168.2.91.1.1.10x1c86Standard query (0)normandy-cdn.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.639589071 CET192.168.2.91.1.1.10xd9d0Standard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.778395891 CET192.168.2.91.1.1.10x6599Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.997950077 CET192.168.2.91.1.1.10xf3ceStandard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.829030991 CET192.168.2.91.1.1.10x23f4Standard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.055912018 CET192.168.2.91.1.1.10xde17Standard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.595383883 CET192.168.2.91.1.1.10x9791Standard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.734493971 CET192.168.2.91.1.1.10x8becStandard query (0)push.services.mozilla.com28IN (0x0001)false

                                                                                                                                                                                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:20.206422091 CET1.1.1.1192.168.2.90x6047No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:20.206422091 CET1.1.1.1192.168.2.90x6047No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.139388084 CET1.1.1.1192.168.2.90x6f01No error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.139388084 CET1.1.1.1192.168.2.90x6f01No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.140283108 CET1.1.1.1192.168.2.90x59ebNo error (0)youtube.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.140988111 CET1.1.1.1192.168.2.90xd413No error (0)prod.classify-client.prod.webservices.mozgcp.net35.190.72.216A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.279618025 CET1.1.1.1192.168.2.90xfcebNo error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.282011032 CET1.1.1.1192.168.2.90xfedcNo error (0)prod.classify-client.prod.webservices.mozgcp.net35.190.72.216A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.283226013 CET1.1.1.1192.168.2.90x8a88No error (0)youtube.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.362407923 CET1.1.1.1192.168.2.90x759fNo error (0)contile.services.mozilla.com34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.362433910 CET1.1.1.1192.168.2.90x8cebNo error (0)balrog-aus5.r53-2.services.mozilla.comprod.balrog.prod.cloudops.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.362433910 CET1.1.1.1192.168.2.90x8cebNo error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.417968035 CET1.1.1.1192.168.2.90x2c83No error (0)prod.detectportal.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.423573971 CET1.1.1.1192.168.2.90x7a6cNo error (0)youtube.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.578465939 CET1.1.1.1192.168.2.90x4e91No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.578773975 CET1.1.1.1192.168.2.90xbb36No error (0)contile.services.mozilla.com34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.579190016 CET1.1.1.1192.168.2.90xb499No error (0)spocs.getpocket.comprod.ads.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.579190016 CET1.1.1.1192.168.2.90xb499No error (0)prod.ads.prod.webservices.mozgcp.net34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.721005917 CET1.1.1.1192.168.2.90xfaa4No error (0)prod.ads.prod.webservices.mozgcp.net34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.065119028 CET1.1.1.1192.168.2.90xce60No error (0)content-signature-2.cdn.mozilla.netcontent-signature-chains.prod.autograph.services.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.065119028 CET1.1.1.1192.168.2.90xce60No error (0)content-signature-chains.prod.autograph.services.mozaws.netprod.content-signature-chains.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.065119028 CET1.1.1.1192.168.2.90xce60No error (0)prod.content-signature-chains.prod.webservices.mozgcp.net34.160.144.191A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.217386961 CET1.1.1.1192.168.2.90x7fb8No error (0)prod.content-signature-chains.prod.webservices.mozgcp.net34.160.144.191A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.356036901 CET1.1.1.1192.168.2.90x9f30No error (0)prod.content-signature-chains.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.542184114 CET1.1.1.1192.168.2.90x98b3No error (0)example.org93.184.215.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.542566061 CET1.1.1.1192.168.2.90xfea6No error (0)ipv4only.arpa192.0.0.170A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.542566061 CET1.1.1.1192.168.2.90xfea6No error (0)ipv4only.arpa192.0.0.171A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.836546898 CET1.1.1.1192.168.2.90x47aaNo error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.836546898 CET1.1.1.1192.168.2.90x47aaNo error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.279407024 CET1.1.1.1192.168.2.90xa4e9No error (0)shavar.services.mozilla.comshavar.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.314126015 CET1.1.1.1192.168.2.90x850fNo error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.459803104 CET1.1.1.1192.168.2.90x33dNo error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.607515097 CET1.1.1.1192.168.2.90xb203No error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.624110937 CET1.1.1.1192.168.2.90x1afcNo error (0)firefox.settings.services.mozilla.comprod.remote-settings.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.624110937 CET1.1.1.1192.168.2.90x1afcNo error (0)prod.remote-settings.prod.webservices.mozgcp.net34.149.100.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.747987986 CET1.1.1.1192.168.2.90x489dNo error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.763216019 CET1.1.1.1192.168.2.90x5a0aNo error (0)prod.remote-settings.prod.webservices.mozgcp.net34.149.100.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.268966913 CET1.1.1.1192.168.2.90x1f32No error (0)balrog-aus5.r53-2.services.mozilla.comprod.balrog.prod.cloudops.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.268966913 CET1.1.1.1192.168.2.90x1f32No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.285897970 CET1.1.1.1192.168.2.90x6f3No error (0)support.mozilla.orgprod.sumo.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.285897970 CET1.1.1.1192.168.2.90x6f3No error (0)prod.sumo.prod.webservices.mozgcp.netus-west1.prod.sumo.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.285897970 CET1.1.1.1192.168.2.90x6f3No error (0)us-west1.prod.sumo.prod.webservices.mozgcp.net34.149.128.2A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.451524019 CET1.1.1.1192.168.2.90x972eNo error (0)us-west1.prod.sumo.prod.webservices.mozgcp.net34.149.128.2A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.542692900 CET1.1.1.1192.168.2.90xf27eNo error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.586781025 CET1.1.1.1192.168.2.90xaa40No error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.292416096 CET1.1.1.1192.168.2.90x1b47No error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757400990 CET1.1.1.1192.168.2.90x7e51No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757400990 CET1.1.1.1192.168.2.90x7e51No error (0)star-mini.c10r.facebook.com157.240.196.35A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com172.217.19.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com172.217.17.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com216.58.208.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com142.250.181.110A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com142.250.181.142A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com172.217.17.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com172.217.19.206A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com172.217.21.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com172.217.19.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.757425070 CET1.1.1.1192.168.2.90xf82cNo error (0)youtube-ui.l.google.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.758441925 CET1.1.1.1192.168.2.90x7a6cNo error (0)www.wikipedia.orgdyna.wikimedia.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.758441925 CET1.1.1.1192.168.2.90x7a6cNo error (0)dyna.wikimedia.org185.15.58.224A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895673990 CET1.1.1.1192.168.2.90x1a54No error (0)star-mini.c10r.facebook.com157.240.196.35A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com172.217.19.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com172.217.19.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com172.217.21.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com142.250.181.110A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com172.217.17.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com142.250.181.142A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com172.217.19.206A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com216.58.208.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.895699978 CET1.1.1.1192.168.2.90x1a9eNo error (0)youtube-ui.l.google.com172.217.17.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:48.898406982 CET1.1.1.1192.168.2.90x5241No error (0)dyna.wikimedia.org185.15.58.224A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.034533024 CET1.1.1.1192.168.2.90xb142No error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.034533024 CET1.1.1.1192.168.2.90xb142No error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.034533024 CET1.1.1.1192.168.2.90xb142No error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.034533024 CET1.1.1.1192.168.2.90xb142No error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.035944939 CET1.1.1.1192.168.2.90x5d64No error (0)star-mini.c10r.facebook.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.036715031 CET1.1.1.1192.168.2.90x467aNo error (0)dyna.wikimedia.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.173266888 CET1.1.1.1192.168.2.90xc46bNo error (0)www.reddit.comreddit.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.173266888 CET1.1.1.1192.168.2.90xc46bNo error (0)reddit.map.fastly.net151.101.193.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.173266888 CET1.1.1.1192.168.2.90xc46bNo error (0)reddit.map.fastly.net151.101.65.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.173266888 CET1.1.1.1192.168.2.90xc46bNo error (0)reddit.map.fastly.net151.101.129.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.173266888 CET1.1.1.1192.168.2.90xc46bNo error (0)reddit.map.fastly.net151.101.1.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:49.174323082 CET1.1.1.1192.168.2.90xfd87No error (0)twitter.com104.244.42.193A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.513484001 CET1.1.1.1192.168.2.90x40ecNo error (0)reddit.map.fastly.net151.101.1.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.513484001 CET1.1.1.1192.168.2.90x40ecNo error (0)reddit.map.fastly.net151.101.65.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.513484001 CET1.1.1.1192.168.2.90x40ecNo error (0)reddit.map.fastly.net151.101.129.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.513484001 CET1.1.1.1192.168.2.90x40ecNo error (0)reddit.map.fastly.net151.101.193.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:50.514631987 CET1.1.1.1192.168.2.90x324No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.548660040 CET1.1.1.1192.168.2.90x47d5No error (0)services.addons.mozilla.org151.101.65.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.548660040 CET1.1.1.1192.168.2.90x47d5No error (0)services.addons.mozilla.org151.101.1.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.548660040 CET1.1.1.1192.168.2.90x47d5No error (0)services.addons.mozilla.org151.101.193.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.548660040 CET1.1.1.1192.168.2.90x47d5No error (0)services.addons.mozilla.org151.101.129.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.663783073 CET1.1.1.1192.168.2.90xbcf8No error (0)normandy.cdn.mozilla.netnormandy-cdn.services.mozilla.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.663783073 CET1.1.1.1192.168.2.90xbcf8No error (0)normandy-cdn.services.mozilla.com35.201.103.21A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.688071012 CET1.1.1.1192.168.2.90xd9cbNo error (0)services.addons.mozilla.org151.101.65.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.688071012 CET1.1.1.1192.168.2.90xd9cbNo error (0)services.addons.mozilla.org151.101.193.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.688071012 CET1.1.1.1192.168.2.90xd9cbNo error (0)services.addons.mozilla.org151.101.1.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.688071012 CET1.1.1.1192.168.2.90xd9cbNo error (0)services.addons.mozilla.org151.101.129.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.826579094 CET1.1.1.1192.168.2.90x619bNo error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.826579094 CET1.1.1.1192.168.2.90x619bNo error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.826579094 CET1.1.1.1192.168.2.90x619bNo error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.826579094 CET1.1.1.1192.168.2.90x619bNo error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:58.870954037 CET1.1.1.1192.168.2.90x966No error (0)normandy-cdn.services.mozilla.com35.201.103.21A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.522970915 CET1.1.1.1192.168.2.90xf13aNo error (0)a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.coma17.rackcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.522970915 CET1.1.1.1192.168.2.90xf13aNo error (0)a17.rackcdn.coma17.rackcdn.com.mdc.edgesuite.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:15.777054071 CET1.1.1.1192.168.2.90xd9d0No error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.134773016 CET1.1.1.1192.168.2.90xf3ceNo error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.134773016 CET1.1.1.1192.168.2.90xf3ceNo error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:28.827214003 CET1.1.1.1192.168.2.90xabd7No error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.193794012 CET1.1.1.1192.168.2.90xde17No error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.193794012 CET1.1.1.1192.168.2.90xde17No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:57.732924938 CET1.1.1.1192.168.2.90x9791No error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                                                                                                                              • detectportal.firefox.com

                                                                                                                                                                                                                                                                                                                                                                              HTTP Packets

                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              0192.168.2.94973434.107.221.82807944C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:31.269000053 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.354918957 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 10:09:25 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 79747
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>


                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              1192.168.2.94974834.107.221.82807944C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:32.976893902 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.053467035 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81820
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success


                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              2192.168.2.94975134.107.221.82807944C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:34.042443037 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:35.128276110 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16225
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.445396900 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.761118889 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16228
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:41.916656971 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.232301950 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16233
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.413935900 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.732090950 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16234
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.991127014 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.306471109 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16235
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:54.318547010 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.214107990 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.528979063 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16246
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.533345938 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.848192930 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16250
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.890352964 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.205632925 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16251
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.671772003 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.988086939 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16251
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.012653112 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.327533007 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16252
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:11.339679003 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:16.997714043 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.312721014 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16268
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:27.316020966 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.055512905 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.370487928 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16281
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.279397964 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.594022036 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16282
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:41.610430956 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:51.843013048 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:58.960158110 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.276022911 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sun, 15 Dec 2024 03:48:09 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 16310
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:09.291501999 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:19.422059059 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:29.640727043 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:


                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              3192.168.2.94976834.107.221.82807944C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:37.309531927 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache


                                                                                                                                                                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                              4192.168.2.94978434.107.221.82807944C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:40.904972076 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:41.991369963 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81828
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.235975981 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:42.551361084 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81829
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:43.990135908 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.305140018 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81831
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.446717024 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:44.761573076 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81831
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:54.773140907 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.532370090 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:55.847007990 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81842
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:18:59.863452911 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.178385973 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81847
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.212281942 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.527203083 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81847
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:00.994313955 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.310156107 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81848
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.333198071 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:01.647847891 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81848
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:11.656191111 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.316502094 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:17.630717993 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81864
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:27.632528067 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.374300957 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:30.688791990 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81877
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.599042892 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:31.913476944 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81878
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:41.926816940 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:52.057125092 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.279994011 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                              Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                                                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:19:59.594347000 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                              Server: nginx
                                                                                                                                                                                                                                                                                                                                                                              Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                              Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                              Date: Sat, 14 Dec 2024 09:34:53 GMT
                                                                                                                                                                                                                                                                                                                                                                              Age: 81906
                                                                                                                                                                                                                                                                                                                                                                              Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                              Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                              Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:09.608042002 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:19.738691092 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                              Dec 15, 2024 09:20:29.894720078 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                              Data Ascii:


                                                                                                                                                                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:21
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\6eftz6UKDm.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\6eftz6UKDm.exe"
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x670000
                                                                                                                                                                                                                                                                                                                                                                              File size:965'632 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:2B1706B1A255A25718D22746C3AE418E
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:2
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:22
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM firefox.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0xf60000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:22
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:24
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM chrome.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0xf60000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:24
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:24
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM msedge.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0xf60000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:24
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:24
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM opera.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0xf60000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:24
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:25
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                              Commandline:taskkill /F /IM brave.exe /T
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0xf60000
                                                                                                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:25
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:12
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:25
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:13
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:25
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:14
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:25
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:27
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196808b4-aa94-4ea0-926d-c9a927698a1e} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208b7e6e910 socket
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:28
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -parentBuildID 20230927232528 -prefsHandle 3888 -prefMapHandle 3904 -prefsLen 26330 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4bb2915-743c-44bc-be3c-ec644e694703} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208c9574510 rdd
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                                                                              Target ID:19
                                                                                                                                                                                                                                                                                                                                                                              Start time:03:18:36
                                                                                                                                                                                                                                                                                                                                                                              Start date:15/12/2024
                                                                                                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4928 -prefsLen 33141 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3537fcfe-2cf5-4957-a7fb-f3ebb284c8c3} 7944 "\\.\pipe\gecko-crash-server-pipe.7944" 208c9256110 utility
                                                                                                                                                                                                                                                                                                                                                                              Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                              File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                                                                                                                                                                Execution Coverage:2.6%
                                                                                                                                                                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                                                                                                                                Signature Coverage:6.2%
                                                                                                                                                                                                                                                                                                                                                                                Total number of Nodes:1732
                                                                                                                                                                                                                                                                                                                                                                                Total number of Limit Nodes:52
                                                                                                                                                                                                                                                                                                                                                                                execution_graph 94595 67dee5 94598 67b710 94595->94598 94599 67b72b 94598->94599 94600 6c00f8 94599->94600 94601 6c0146 94599->94601 94626 67b750 94599->94626 94604 6c0102 94600->94604 94607 6c010f 94600->94607 94600->94626 94664 6f58a2 348 API calls 2 library calls 94601->94664 94662 6f5d33 348 API calls 94604->94662 94624 67ba20 94607->94624 94663 6f61d0 348 API calls 2 library calls 94607->94663 94610 68d336 40 API calls 94610->94626 94611 6c03d9 94611->94611 94615 6c0322 94677 6f5c0c 82 API calls 94615->94677 94619 67ba4e 94623 67bbe0 40 API calls 94623->94626 94624->94619 94678 6e359c 82 API calls __wsopen_s 94624->94678 94626->94610 94626->94615 94626->94619 94626->94623 94626->94624 94629 67ec40 94626->94629 94653 67a81b 41 API calls 94626->94653 94654 68d2f0 40 API calls 94626->94654 94655 68a01b 348 API calls 94626->94655 94656 690242 5 API calls __Init_thread_wait 94626->94656 94657 68edcd 22 API calls 94626->94657 94658 6900a3 29 API calls __onexit 94626->94658 94659 6901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94626->94659 94660 68ee53 82 API calls 94626->94660 94661 68e5ca 348 API calls 94626->94661 94665 67aceb 94626->94665 94675 6cf6bf 23 API calls 94626->94675 94676 67a8c7 22 API calls __fread_nolock 94626->94676 94651 67ec76 ISource 94629->94651 94630 690242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94630->94651 94631 6901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 94631->94651 94633 67fef7 94646 67ed9d ISource 94633->94646 94742 67a8c7 22 API calls __fread_nolock 94633->94742 94634 68fddb 22 API calls 94634->94651 94636 6c4b0b 94744 6e359c 82 API calls __wsopen_s 94636->94744 94637 67a8c7 22 API calls 94637->94651 94638 6c4600 94638->94646 94741 67a8c7 22 API calls __fread_nolock 94638->94741 94644 67fbe3 94644->94646 94647 6c4bdc 94644->94647 94652 67f3ae ISource 94644->94652 94645 67a961 22 API calls 94645->94651 94646->94626 94745 6e359c 82 API calls __wsopen_s 94647->94745 94649 6900a3 29 API calls pre_c_initialization 94649->94651 94650 6c4beb 94746 6e359c 82 API calls __wsopen_s 94650->94746 94651->94630 94651->94631 94651->94633 94651->94634 94651->94636 94651->94637 94651->94638 94651->94644 94651->94645 94651->94646 94651->94649 94651->94650 94651->94652 94679 6801e0 94651->94679 94740 6806a0 41 API calls ISource 94651->94740 94652->94646 94743 6e359c 82 API calls __wsopen_s 94652->94743 94653->94626 94654->94626 94655->94626 94656->94626 94657->94626 94658->94626 94659->94626 94660->94626 94661->94626 94662->94607 94663->94624 94664->94626 94666 67acf9 94665->94666 94674 67ad2a ISource 94665->94674 94667 67ad55 94666->94667 94669 67ad01 ISource 94666->94669 94667->94674 95247 67a8c7 22 API calls __fread_nolock 94667->95247 94670 6bfa48 94669->94670 94671 67ad21 94669->94671 94669->94674 94670->94674 95248 68ce17 22 API calls ISource 94670->95248 94672 6bfa3a VariantClear 94671->94672 94671->94674 94672->94674 94674->94626 94675->94626 94676->94626 94677->94624 94678->94611 94680 680206 94679->94680 94695 68027e 94679->94695 94681 6c5411 94680->94681 94682 680213 94680->94682 94820 6f7b7e 348 API calls 2 library calls 94681->94820 94689 6c5435 94682->94689 94692 68021d 94682->94692 94683 6c5405 94819 6e359c 82 API calls __wsopen_s 94683->94819 94685 6c5466 94690 6c5471 94685->94690 94691 6c5493 94685->94691 94686 67ec40 348 API calls 94686->94695 94689->94685 94694 6c544d 94689->94694 94822 6f7b7e 348 API calls 2 library calls 94690->94822 94747 6f5689 94691->94747 94739 680230 ISource 94692->94739 94883 67a8c7 22 API calls __fread_nolock 94692->94883 94693 680405 94693->94651 94821 6e359c 82 API calls __wsopen_s 94694->94821 94695->94686 94695->94693 94701 6c51b9 94695->94701 94715 6803f9 94695->94715 94720 680344 94695->94720 94723 6c51ce ISource 94695->94723 94733 6803b2 ISource 94695->94733 94699 6c5332 94699->94739 94818 67a8c7 22 API calls __fread_nolock 94699->94818 94815 6e359c 82 API calls __wsopen_s 94701->94815 94702 6c568a 94708 6c56c0 94702->94708 94908 6f7771 67 API calls 94702->94908 94707 6c5532 94823 6e1119 22 API calls 94707->94823 94712 67aceb 23 API calls 94708->94712 94709 6c5668 94885 677510 94709->94885 94735 680273 ISource 94712->94735 94714 6c569e 94717 677510 53 API calls 94714->94717 94715->94693 94814 6e359c 82 API calls __wsopen_s 94715->94814 94716 6c54b9 94754 6e0acc 94716->94754 94732 6c56a6 _wcslen 94717->94732 94720->94715 94813 6804f0 22 API calls 94720->94813 94722 6c5544 94824 67a673 22 API calls 94722->94824 94723->94733 94723->94735 94816 6e359c 82 API calls __wsopen_s 94723->94816 94724 6803a5 94724->94715 94724->94733 94727 6c5670 _wcslen 94727->94702 94730 67aceb 23 API calls 94727->94730 94729 6c554d 94736 6e0acc 22 API calls 94729->94736 94730->94702 94732->94708 94734 67aceb 23 API calls 94732->94734 94733->94683 94733->94699 94733->94735 94733->94739 94817 68a308 348 API calls 94733->94817 94734->94708 94735->94651 94737 6c5566 94736->94737 94825 67bf40 94737->94825 94739->94702 94739->94735 94884 6f7632 54 API calls __wsopen_s 94739->94884 94740->94651 94741->94646 94742->94646 94743->94646 94744->94646 94745->94650 94746->94646 94748 6c549e 94747->94748 94749 6f56a4 94747->94749 94748->94707 94748->94716 94909 68fe0b 94749->94909 94752 6f56c6 94752->94748 94919 68fddb 94752->94919 94929 6e0a59 94752->94929 94755 6c54e3 94754->94755 94756 6e0ada 94754->94756 94758 681310 94755->94758 94756->94755 94757 68fddb 22 API calls 94756->94757 94757->94755 94759 6817b0 94758->94759 94760 681376 94758->94760 94987 690242 5 API calls __Init_thread_wait 94759->94987 94761 681390 94760->94761 94762 6c6331 94760->94762 94948 681940 94761->94948 94997 6f709c 348 API calls 94762->94997 94766 6817ba 94767 6817fb 94766->94767 94988 679cb3 94766->94988 94773 6c6346 94767->94773 94775 68182c 94767->94775 94769 6c633d 94769->94739 94771 681940 9 API calls 94772 6813b6 94771->94772 94772->94767 94774 6813ec 94772->94774 94998 6e359c 82 API calls __wsopen_s 94773->94998 94774->94773 94780 681408 __fread_nolock 94774->94780 94777 67aceb 23 API calls 94775->94777 94779 681839 94777->94779 94778 6817d4 94994 6901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94778->94994 94995 68d217 348 API calls 94779->94995 94780->94779 94783 6c636e 94780->94783 94791 68fddb 22 API calls 94780->94791 94792 68fe0b 22 API calls 94780->94792 94797 67ec40 348 API calls 94780->94797 94800 68152f 94780->94800 94803 6c63b2 94780->94803 94805 6815c7 ISource 94780->94805 94999 6e359c 82 API calls __wsopen_s 94783->94999 94785 68153c 94789 681940 9 API calls 94785->94789 94786 6c63d1 95001 6f5745 54 API calls _wcslen 94786->95001 94787 681872 94996 68faeb 23 API calls 94787->94996 94790 681549 94789->94790 94795 681940 9 API calls 94790->94795 94790->94805 94791->94780 94792->94780 94793 68171d 94793->94739 94799 681563 94795->94799 94797->94780 94798 68167b ISource 94798->94793 94986 68ce17 22 API calls ISource 94798->94986 94799->94805 95002 67a8c7 22 API calls __fread_nolock 94799->95002 94800->94785 94800->94786 94802 681940 9 API calls 94802->94805 95000 6e359c 82 API calls __wsopen_s 94803->95000 94805->94787 94805->94798 94805->94802 94958 6e5c5a 94805->94958 94963 6fab67 94805->94963 94966 6fabf7 94805->94966 94971 68f645 94805->94971 94978 701591 94805->94978 94981 6fa2ea 94805->94981 95003 6e359c 82 API calls __wsopen_s 94805->95003 94813->94724 94814->94735 94815->94723 94816->94733 94817->94733 94818->94739 94819->94681 94820->94739 94821->94735 94822->94739 94823->94722 94824->94729 95196 67adf0 94825->95196 94827 67bf9d 94828 6c04b6 94827->94828 94829 67bfa9 94827->94829 95214 6e359c 82 API calls __wsopen_s 94828->95214 94831 6c04c6 94829->94831 94832 67c01e 94829->94832 95215 6e359c 82 API calls __wsopen_s 94831->95215 95201 67ac91 94832->95201 94835 6d7120 22 API calls 94880 67c039 ISource __fread_nolock 94835->94880 94836 67c7da 94840 68fe0b 22 API calls 94836->94840 94845 67c808 __fread_nolock 94840->94845 94842 6c04f5 94846 6c055a 94842->94846 95216 68d217 348 API calls 94842->95216 94849 68fe0b 22 API calls 94845->94849 94869 67c603 94846->94869 95217 6e359c 82 API calls __wsopen_s 94846->95217 94847 67ec40 348 API calls 94847->94880 94848 6c091a 95226 6e3209 23 API calls 94848->95226 94881 67c350 ISource __fread_nolock 94849->94881 94850 67af8a 22 API calls 94850->94880 94851 68fddb 22 API calls 94851->94880 94854 6c08a5 94855 67ec40 348 API calls 94854->94855 94857 6c08cf 94855->94857 94857->94869 95224 67a81b 41 API calls 94857->95224 94858 6c0591 95218 6e359c 82 API calls __wsopen_s 94858->95218 94859 6c08f6 95225 6e359c 82 API calls __wsopen_s 94859->95225 94864 67c237 94866 67c253 94864->94866 95227 67a8c7 22 API calls __fread_nolock 94864->95227 94865 67aceb 23 API calls 94865->94880 94870 6c0976 94866->94870 94874 67c297 ISource 94866->94874 94867 68fe0b 22 API calls 94867->94880 94869->94739 94872 67aceb 23 API calls 94870->94872 94873 6c09bf 94872->94873 94873->94869 95228 6e359c 82 API calls __wsopen_s 94873->95228 94874->94873 94875 67aceb 23 API calls 94874->94875 94876 67c335 94875->94876 94876->94873 94877 67c342 94876->94877 95212 67a704 22 API calls ISource 94877->95212 94878 67bbe0 40 API calls 94878->94880 94880->94835 94880->94836 94880->94842 94880->94845 94880->94846 94880->94847 94880->94848 94880->94850 94880->94851 94880->94854 94880->94858 94880->94859 94880->94864 94880->94865 94880->94867 94880->94869 94880->94873 94880->94878 95205 67ad81 94880->95205 95219 6d7099 22 API calls __fread_nolock 94880->95219 95220 6f5745 54 API calls _wcslen 94880->95220 95221 68aa42 22 API calls ISource 94880->95221 95222 6df05c 40 API calls 94880->95222 95223 67a993 41 API calls 94880->95223 94882 67c3ac 94881->94882 95213 68ce17 22 API calls ISource 94881->95213 94882->94739 94883->94739 94884->94709 94886 677525 94885->94886 94887 677522 94885->94887 94888 67752d 94886->94888 94889 67755b 94886->94889 94887->94727 95243 6951c6 26 API calls 94888->95243 94890 6b50f6 94889->94890 94892 67756d 94889->94892 94899 6b500f 94889->94899 95246 695183 26 API calls 94890->95246 95244 68fb21 51 API calls 94892->95244 94893 67753d 94898 68fddb 22 API calls 94893->94898 94896 6b510e 94896->94896 94900 677547 94898->94900 94902 68fe0b 22 API calls 94899->94902 94903 6b5088 94899->94903 94901 679cb3 22 API calls 94900->94901 94901->94887 94905 6b5058 94902->94905 95245 68fb21 51 API calls 94903->95245 94904 68fddb 22 API calls 94906 6b507f 94904->94906 94905->94904 94907 679cb3 22 API calls 94906->94907 94907->94903 94908->94714 94910 68fddb 94909->94910 94912 68fdfa 94910->94912 94915 68fdfc 94910->94915 94933 69ea0c 94910->94933 94940 694ead 7 API calls 2 library calls 94910->94940 94912->94752 94914 69066d 94942 6932a4 RaiseException 94914->94942 94915->94914 94941 6932a4 RaiseException 94915->94941 94918 69068a 94918->94752 94922 68fde0 94919->94922 94920 69ea0c ___std_exception_copy 21 API calls 94920->94922 94921 68fdfa 94921->94752 94922->94920 94922->94921 94924 68fdfc 94922->94924 94945 694ead 7 API calls 2 library calls 94922->94945 94925 69066d 94924->94925 94946 6932a4 RaiseException 94924->94946 94947 6932a4 RaiseException 94925->94947 94928 69068a 94928->94752 94930 6e0a7a 94929->94930 94931 68fddb 22 API calls 94930->94931 94932 6e0a85 94930->94932 94931->94932 94932->94752 94939 6a3820 pre_c_initialization 94933->94939 94934 6a385e 94944 69f2d9 20 API calls _abort 94934->94944 94936 6a3849 RtlAllocateHeap 94937 6a385c 94936->94937 94936->94939 94937->94910 94939->94934 94939->94936 94943 694ead 7 API calls 2 library calls 94939->94943 94940->94910 94941->94914 94942->94918 94943->94939 94944->94937 94945->94922 94946->94925 94947->94928 94949 68195d 94948->94949 94950 681981 94948->94950 94957 6813a0 94949->94957 95006 690242 5 API calls __Init_thread_wait 94949->95006 95004 690242 5 API calls __Init_thread_wait 94950->95004 94952 68198b 94952->94949 95005 6901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94952->95005 94955 688727 94955->94957 95007 6901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94955->95007 94957->94771 94959 677510 53 API calls 94958->94959 94960 6e5c6d 94959->94960 95008 6ddbbe lstrlenW 94960->95008 94962 6e5c77 94962->94805 95013 6faff9 94963->95013 94967 6faff9 217 API calls 94966->94967 94969 6fac0c 94967->94969 94968 6fac54 94968->94805 94969->94968 94970 67aceb 23 API calls 94969->94970 94970->94968 94972 67b567 39 API calls 94971->94972 94973 68f659 94972->94973 94974 6cf2dc Sleep 94973->94974 94975 68f661 timeGetTime 94973->94975 94976 67b567 39 API calls 94975->94976 94977 68f677 94976->94977 94977->94805 95141 702ad8 94978->95141 94980 70159f 94980->94805 94982 677510 53 API calls 94981->94982 94983 6fa306 94982->94983 95175 6dd4dc CreateToolhelp32Snapshot Process32FirstW 94983->95175 94985 6fa315 94985->94805 94986->94798 94987->94766 94989 679cc2 _wcslen 94988->94989 94990 68fe0b 22 API calls 94989->94990 94991 679cea __fread_nolock 94990->94991 94992 68fddb 22 API calls 94991->94992 94993 679d00 94992->94993 94993->94778 94994->94767 94995->94787 94996->94787 94997->94769 94998->94805 94999->94805 95000->94805 95001->94799 95002->94805 95003->94805 95004->94952 95005->94949 95006->94955 95007->94957 95009 6ddbdc GetFileAttributesW 95008->95009 95010 6ddc06 95008->95010 95009->95010 95011 6ddbe8 FindFirstFileW 95009->95011 95010->94962 95011->95010 95012 6ddbf9 FindClose 95011->95012 95012->95010 95014 6fb01d ___scrt_fastfail 95013->95014 95015 6fb058 95014->95015 95016 6fb094 95014->95016 95111 67b567 95015->95111 95020 67b567 39 API calls 95016->95020 95021 6fb08b 95016->95021 95018 6fb063 95018->95021 95024 67b567 39 API calls 95018->95024 95019 6fb0ed 95022 677510 53 API calls 95019->95022 95023 6fb0a5 95020->95023 95021->95019 95025 67b567 39 API calls 95021->95025 95026 6fb10b 95022->95026 95027 67b567 39 API calls 95023->95027 95028 6fb078 95024->95028 95025->95019 95104 677620 95026->95104 95027->95021 95030 67b567 39 API calls 95028->95030 95030->95021 95031 6fb115 95032 6fb11f 95031->95032 95033 6fb1d8 95031->95033 95035 677510 53 API calls 95032->95035 95034 6fb20a GetCurrentDirectoryW 95033->95034 95036 677510 53 API calls 95033->95036 95037 68fe0b 22 API calls 95034->95037 95038 6fb130 95035->95038 95039 6fb1ef 95036->95039 95040 6fb22f GetCurrentDirectoryW 95037->95040 95041 677620 22 API calls 95038->95041 95044 677620 22 API calls 95039->95044 95042 6fb23c 95040->95042 95043 6fb13a 95041->95043 95047 6fb275 95042->95047 95116 679c6e 22 API calls 95042->95116 95045 677510 53 API calls 95043->95045 95046 6fb1f9 _wcslen 95044->95046 95048 6fb14b 95045->95048 95046->95034 95046->95047 95055 6fb28b 95047->95055 95056 6fb287 95047->95056 95050 677620 22 API calls 95048->95050 95052 6fb155 95050->95052 95051 6fb255 95117 679c6e 22 API calls 95051->95117 95054 677510 53 API calls 95052->95054 95058 6fb166 95054->95058 95119 6e07c0 10 API calls 95055->95119 95060 6fb39a CreateProcessW 95056->95060 95061 6fb2f8 95056->95061 95057 6fb265 95118 679c6e 22 API calls 95057->95118 95063 677620 22 API calls 95058->95063 95103 6fb32f _wcslen 95060->95103 95122 6d11c8 39 API calls 95061->95122 95066 6fb170 95063->95066 95064 6fb294 95120 6e06e6 10 API calls 95064->95120 95070 6fb1a6 GetSystemDirectoryW 95066->95070 95075 677510 53 API calls 95066->95075 95068 6fb2aa 95121 6e05a7 8 API calls 95068->95121 95069 6fb2fd 95073 6fb32a 95069->95073 95074 6fb323 95069->95074 95072 68fe0b 22 API calls 95070->95072 95077 6fb1cb GetSystemDirectoryW 95072->95077 95124 6d14ce 6 API calls 95073->95124 95123 6d1201 128 API calls 2 library calls 95074->95123 95079 6fb187 95075->95079 95076 6fb2d0 95076->95056 95077->95042 95082 677620 22 API calls 95079->95082 95081 6fb328 95081->95103 95085 6fb191 _wcslen 95082->95085 95083 6fb42f CloseHandle 95086 6fb43f 95083->95086 95096 6fb49a 95083->95096 95084 6fb3d6 GetLastError 95095 6fb41a 95084->95095 95085->95042 95085->95070 95087 6fb446 CloseHandle 95086->95087 95088 6fb451 95086->95088 95087->95088 95090 6fb458 CloseHandle 95088->95090 95091 6fb463 95088->95091 95090->95091 95093 6fb46a CloseHandle 95091->95093 95094 6fb475 95091->95094 95092 6fb4a6 95092->95095 95093->95094 95125 6e09d9 34 API calls 95094->95125 95108 6e0175 95095->95108 95096->95092 95099 6fb4d2 CloseHandle 95096->95099 95099->95095 95101 6fb486 95126 6fb536 25 API calls 95101->95126 95103->95083 95103->95084 95105 67762a _wcslen 95104->95105 95106 68fe0b 22 API calls 95105->95106 95107 67763f 95106->95107 95107->95031 95127 6e030f 95108->95127 95112 67b578 95111->95112 95113 67b57f 95111->95113 95112->95113 95140 6962d1 39 API calls _strftime 95112->95140 95113->95018 95115 67b5c2 95115->95018 95116->95051 95117->95057 95118->95047 95119->95064 95120->95068 95121->95076 95122->95069 95123->95081 95124->95103 95125->95101 95126->95096 95128 6e0329 95127->95128 95129 6e0321 CloseHandle 95127->95129 95130 6e032e CloseHandle 95128->95130 95131 6e0336 95128->95131 95129->95128 95130->95131 95132 6e033b CloseHandle 95131->95132 95133 6e0343 95131->95133 95132->95133 95134 6e0348 CloseHandle 95133->95134 95135 6e0350 95133->95135 95134->95135 95136 6e035d 95135->95136 95137 6e0355 CloseHandle 95135->95137 95138 6e017d 95136->95138 95139 6e0362 CloseHandle 95136->95139 95137->95136 95138->94805 95139->95138 95140->95115 95142 67aceb 23 API calls 95141->95142 95143 702af3 95142->95143 95144 702b1d 95143->95144 95145 702aff 95143->95145 95152 676b57 95144->95152 95146 677510 53 API calls 95145->95146 95148 702b0c 95146->95148 95149 702b1b 95148->95149 95151 67a8c7 22 API calls __fread_nolock 95148->95151 95149->94980 95151->95149 95153 676b67 _wcslen 95152->95153 95154 6b4ba1 95152->95154 95157 676ba2 95153->95157 95158 676b7d 95153->95158 95165 6793b2 95154->95165 95156 6b4baa 95156->95156 95160 68fddb 22 API calls 95157->95160 95164 676f34 22 API calls 95158->95164 95162 676bae 95160->95162 95161 676b85 __fread_nolock 95161->95149 95163 68fe0b 22 API calls 95162->95163 95163->95161 95164->95161 95166 6793c0 95165->95166 95168 6793c9 __fread_nolock 95165->95168 95166->95168 95169 67aec9 95166->95169 95168->95156 95170 67aedc 95169->95170 95171 67aed9 __fread_nolock 95169->95171 95172 68fddb 22 API calls 95170->95172 95171->95168 95173 67aee7 95172->95173 95174 68fe0b 22 API calls 95173->95174 95174->95171 95185 6ddef7 95175->95185 95177 6dd529 Process32NextW 95178 6dd5db CloseHandle 95177->95178 95183 6dd522 95177->95183 95178->94985 95179 67a961 22 API calls 95179->95183 95180 679cb3 22 API calls 95180->95183 95183->95177 95183->95178 95183->95179 95183->95180 95191 67525f 22 API calls 95183->95191 95192 676350 22 API calls 95183->95192 95193 68ce60 41 API calls 95183->95193 95186 6ddf02 95185->95186 95187 6ddf19 95186->95187 95190 6ddf1f 95186->95190 95194 6963b2 GetStringTypeW _strftime 95186->95194 95195 6962fb 39 API calls _strftime 95187->95195 95190->95183 95191->95183 95192->95183 95193->95183 95194->95186 95195->95190 95197 67ae01 95196->95197 95200 67ae1c ISource 95196->95200 95198 67aec9 22 API calls 95197->95198 95199 67ae09 CharUpperBuffW 95198->95199 95199->95200 95200->94827 95202 67acae 95201->95202 95203 67acd1 95202->95203 95229 6e359c 82 API calls __wsopen_s 95202->95229 95203->94880 95206 6bfadb 95205->95206 95207 67ad92 95205->95207 95208 68fddb 22 API calls 95207->95208 95209 67ad99 95208->95209 95230 67adcd 95209->95230 95212->94881 95213->94881 95214->94831 95215->94869 95216->94846 95217->94869 95218->94869 95219->94880 95220->94880 95221->94880 95222->94880 95223->94880 95224->94859 95225->94869 95226->94864 95227->94866 95228->94869 95229->95203 95233 67addd 95230->95233 95231 67adb6 95231->94880 95232 68fddb 22 API calls 95232->95233 95233->95231 95233->95232 95235 67adcd 22 API calls 95233->95235 95237 67a961 95233->95237 95242 67a8c7 22 API calls __fread_nolock 95233->95242 95235->95233 95238 68fe0b 22 API calls 95237->95238 95239 67a976 95238->95239 95240 68fddb 22 API calls 95239->95240 95241 67a984 95240->95241 95241->95233 95242->95233 95243->94893 95244->94893 95245->94890 95246->94896 95247->94674 95248->94674 96261 671044 96266 6710f3 96261->96266 96263 67104a 96302 6900a3 29 API calls __onexit 96263->96302 96265 671054 96303 671398 96266->96303 96270 67116a 96271 67a961 22 API calls 96270->96271 96272 671174 96271->96272 96273 67a961 22 API calls 96272->96273 96274 67117e 96273->96274 96275 67a961 22 API calls 96274->96275 96276 671188 96275->96276 96277 67a961 22 API calls 96276->96277 96278 6711c6 96277->96278 96279 67a961 22 API calls 96278->96279 96280 671292 96279->96280 96313 67171c 96280->96313 96284 6712c4 96285 67a961 22 API calls 96284->96285 96286 6712ce 96285->96286 96287 681940 9 API calls 96286->96287 96288 6712f9 96287->96288 96334 671aab 96288->96334 96290 671315 96291 671325 GetStdHandle 96290->96291 96292 67137a 96291->96292 96293 6b2485 96291->96293 96296 671387 OleInitialize 96292->96296 96293->96292 96294 6b248e 96293->96294 96295 68fddb 22 API calls 96294->96295 96297 6b2495 96295->96297 96296->96263 96341 6e011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96297->96341 96299 6b249e 96342 6e0944 CreateThread 96299->96342 96301 6b24aa CloseHandle 96301->96292 96302->96265 96343 6713f1 96303->96343 96306 6713f1 22 API calls 96307 6713d0 96306->96307 96308 67a961 22 API calls 96307->96308 96309 6713dc 96308->96309 96310 676b57 22 API calls 96309->96310 96311 671129 96310->96311 96312 671bc3 6 API calls 96311->96312 96312->96270 96314 67a961 22 API calls 96313->96314 96315 67172c 96314->96315 96316 67a961 22 API calls 96315->96316 96317 671734 96316->96317 96318 67a961 22 API calls 96317->96318 96319 67174f 96318->96319 96320 68fddb 22 API calls 96319->96320 96321 67129c 96320->96321 96322 671b4a 96321->96322 96323 671b58 96322->96323 96324 67a961 22 API calls 96323->96324 96325 671b63 96324->96325 96326 67a961 22 API calls 96325->96326 96327 671b6e 96326->96327 96328 67a961 22 API calls 96327->96328 96329 671b79 96328->96329 96330 67a961 22 API calls 96329->96330 96331 671b84 96330->96331 96332 68fddb 22 API calls 96331->96332 96333 671b96 RegisterWindowMessageW 96332->96333 96333->96284 96335 6b272d 96334->96335 96336 671abb 96334->96336 96350 6e3209 23 API calls 96335->96350 96337 68fddb 22 API calls 96336->96337 96339 671ac3 96337->96339 96339->96290 96340 6b2738 96341->96299 96342->96301 96351 6e092a 28 API calls 96342->96351 96344 67a961 22 API calls 96343->96344 96345 6713fc 96344->96345 96346 67a961 22 API calls 96345->96346 96347 671404 96346->96347 96348 67a961 22 API calls 96347->96348 96349 6713c6 96348->96349 96349->96306 96350->96340 95249 672de3 95250 672df0 __wsopen_s 95249->95250 95251 6b2c2b ___scrt_fastfail 95250->95251 95252 672e09 95250->95252 95254 6b2c47 GetOpenFileNameW 95251->95254 95265 673aa2 95252->95265 95256 6b2c96 95254->95256 95258 676b57 22 API calls 95256->95258 95260 6b2cab 95258->95260 95260->95260 95262 672e27 95293 6744a8 95262->95293 95323 6b1f50 95265->95323 95268 673ace 95270 676b57 22 API calls 95268->95270 95269 673ae9 95329 67a6c3 95269->95329 95272 673ada 95270->95272 95325 6737a0 95272->95325 95275 672da5 95276 6b1f50 __wsopen_s 95275->95276 95277 672db2 GetLongPathNameW 95276->95277 95278 676b57 22 API calls 95277->95278 95279 672dda 95278->95279 95280 673598 95279->95280 95281 67a961 22 API calls 95280->95281 95282 6735aa 95281->95282 95283 673aa2 23 API calls 95282->95283 95284 6735b5 95283->95284 95285 6b32eb 95284->95285 95286 6735c0 95284->95286 95291 6b330d 95285->95291 95347 68ce60 41 API calls 95285->95347 95335 67515f 95286->95335 95292 6735df 95292->95262 95348 674ecb 95293->95348 95296 6b3833 95370 6e2cf9 95296->95370 95297 674ecb 94 API calls 95299 6744e1 95297->95299 95299->95296 95301 6744e9 95299->95301 95300 6b3848 95302 6b3869 95300->95302 95303 6b384c 95300->95303 95305 6744f5 95301->95305 95306 6b3854 95301->95306 95304 68fe0b 22 API calls 95302->95304 95411 674f39 95303->95411 95322 6b38ae 95304->95322 95410 67940c 136 API calls 2 library calls 95305->95410 95417 6dda5a 82 API calls 95306->95417 95310 672e31 95311 6b3862 95311->95302 95312 6b3a5f 95317 6b3a67 95312->95317 95313 674f39 68 API calls 95313->95317 95317->95313 95421 6d989b 82 API calls __wsopen_s 95317->95421 95319 679cb3 22 API calls 95319->95322 95322->95312 95322->95317 95322->95319 95396 67a4a1 95322->95396 95404 673ff7 95322->95404 95418 6d967e 22 API calls __fread_nolock 95322->95418 95419 6d95ad 42 API calls _wcslen 95322->95419 95420 6e0b5a 22 API calls 95322->95420 95324 673aaf GetFullPathNameW 95323->95324 95324->95268 95324->95269 95326 6737ae 95325->95326 95327 6793b2 22 API calls 95326->95327 95328 672e12 95327->95328 95328->95275 95330 67a6d0 95329->95330 95331 67a6dd 95329->95331 95330->95272 95332 68fddb 22 API calls 95331->95332 95333 67a6e7 95332->95333 95334 68fe0b 22 API calls 95333->95334 95334->95330 95336 67516e 95335->95336 95340 67518f __fread_nolock 95335->95340 95339 68fe0b 22 API calls 95336->95339 95337 68fddb 22 API calls 95338 6735cc 95337->95338 95341 6735f3 95338->95341 95339->95340 95340->95337 95342 673605 95341->95342 95346 673624 __fread_nolock 95341->95346 95344 68fe0b 22 API calls 95342->95344 95343 68fddb 22 API calls 95345 67363b 95343->95345 95344->95346 95345->95292 95346->95343 95347->95285 95422 674e90 LoadLibraryA 95348->95422 95353 674ef6 LoadLibraryExW 95430 674e59 LoadLibraryA 95353->95430 95354 6b3ccf 95355 674f39 68 API calls 95354->95355 95357 6b3cd6 95355->95357 95360 674e59 3 API calls 95357->95360 95362 6b3cde 95360->95362 95361 674f20 95361->95362 95363 674f2c 95361->95363 95452 6750f5 95362->95452 95364 674f39 68 API calls 95363->95364 95366 6744cd 95364->95366 95366->95296 95366->95297 95369 6b3d05 95371 6e2d15 95370->95371 95372 67511f 64 API calls 95371->95372 95373 6e2d29 95372->95373 95602 6e2e66 95373->95602 95376 6750f5 40 API calls 95377 6e2d56 95376->95377 95378 6750f5 40 API calls 95377->95378 95379 6e2d66 95378->95379 95380 6750f5 40 API calls 95379->95380 95381 6e2d81 95380->95381 95382 6750f5 40 API calls 95381->95382 95383 6e2d9c 95382->95383 95384 67511f 64 API calls 95383->95384 95385 6e2db3 95384->95385 95386 69ea0c ___std_exception_copy 21 API calls 95385->95386 95387 6e2dba 95386->95387 95388 69ea0c ___std_exception_copy 21 API calls 95387->95388 95389 6e2dc4 95388->95389 95390 6750f5 40 API calls 95389->95390 95391 6e2dd8 95390->95391 95392 6e28fe 27 API calls 95391->95392 95394 6e2dee 95392->95394 95393 6e2d3f 95393->95300 95394->95393 95608 6e22ce 79 API calls 95394->95608 95397 67a52b 95396->95397 95402 67a4b1 __fread_nolock 95396->95402 95400 68fe0b 22 API calls 95397->95400 95398 68fddb 22 API calls 95399 67a4b8 95398->95399 95401 68fddb 22 API calls 95399->95401 95403 67a4d6 95399->95403 95400->95402 95401->95403 95402->95398 95403->95322 95405 67400a 95404->95405 95408 6740ae 95404->95408 95406 68fe0b 22 API calls 95405->95406 95407 67403c 95405->95407 95406->95407 95407->95408 95409 68fddb 22 API calls 95407->95409 95408->95322 95409->95407 95410->95310 95412 674f43 95411->95412 95414 674f4a 95411->95414 95609 69e678 95412->95609 95415 674f6a FreeLibrary 95414->95415 95416 674f59 95414->95416 95415->95416 95416->95306 95417->95311 95418->95322 95419->95322 95420->95322 95421->95317 95423 674ec6 95422->95423 95424 674ea8 GetProcAddress 95422->95424 95427 69e5eb 95423->95427 95425 674eb8 95424->95425 95425->95423 95426 674ebf FreeLibrary 95425->95426 95426->95423 95460 69e52a 95427->95460 95429 674eea 95429->95353 95429->95354 95431 674e6e GetProcAddress 95430->95431 95432 674e8d 95430->95432 95433 674e7e 95431->95433 95435 674f80 95432->95435 95433->95432 95434 674e86 FreeLibrary 95433->95434 95434->95432 95436 68fe0b 22 API calls 95435->95436 95437 674f95 95436->95437 95528 675722 95437->95528 95439 674fa1 __fread_nolock 95440 6750a5 95439->95440 95441 6b3d1d 95439->95441 95451 674fdc 95439->95451 95531 6742a2 CreateStreamOnHGlobal 95440->95531 95542 6e304d 74 API calls 95441->95542 95444 6b3d22 95446 67511f 64 API calls 95444->95446 95445 6750f5 40 API calls 95445->95451 95447 6b3d45 95446->95447 95448 6750f5 40 API calls 95447->95448 95450 67506e ISource 95448->95450 95450->95361 95451->95444 95451->95445 95451->95450 95537 67511f 95451->95537 95453 675107 95452->95453 95456 6b3d70 95452->95456 95564 69e8c4 95453->95564 95457 6e28fe 95585 6e274e 95457->95585 95459 6e2919 95459->95369 95463 69e536 ___scrt_is_nonwritable_in_current_image 95460->95463 95461 69e544 95485 69f2d9 20 API calls _abort 95461->95485 95463->95461 95465 69e574 95463->95465 95464 69e549 95486 6a27ec 26 API calls __wsopen_s 95464->95486 95467 69e579 95465->95467 95468 69e586 95465->95468 95487 69f2d9 20 API calls _abort 95467->95487 95477 6a8061 95468->95477 95471 69e58f 95472 69e5a2 95471->95472 95473 69e595 95471->95473 95489 69e5d4 LeaveCriticalSection __fread_nolock 95472->95489 95488 69f2d9 20 API calls _abort 95473->95488 95475 69e554 __wsopen_s 95475->95429 95478 6a806d ___scrt_is_nonwritable_in_current_image 95477->95478 95490 6a2f5e EnterCriticalSection 95478->95490 95480 6a807b 95491 6a80fb 95480->95491 95484 6a80ac __wsopen_s 95484->95471 95485->95464 95486->95475 95487->95475 95488->95475 95489->95475 95490->95480 95494 6a811e 95491->95494 95492 6a8177 95509 6a4c7d 95492->95509 95494->95492 95499 6a8088 95494->95499 95507 69918d EnterCriticalSection 95494->95507 95508 6991a1 LeaveCriticalSection 95494->95508 95498 6a8189 95498->95499 95522 6a3405 11 API calls 2 library calls 95498->95522 95504 6a80b7 95499->95504 95501 6a81a8 95523 69918d EnterCriticalSection 95501->95523 95527 6a2fa6 LeaveCriticalSection 95504->95527 95506 6a80be 95506->95484 95507->95494 95508->95494 95513 6a4c8a pre_c_initialization 95509->95513 95510 6a4cca 95525 69f2d9 20 API calls _abort 95510->95525 95511 6a4cb5 RtlAllocateHeap 95512 6a4cc8 95511->95512 95511->95513 95516 6a29c8 95512->95516 95513->95510 95513->95511 95524 694ead 7 API calls 2 library calls 95513->95524 95517 6a29d3 RtlFreeHeap 95516->95517 95518 6a29fc _free 95516->95518 95517->95518 95519 6a29e8 95517->95519 95518->95498 95526 69f2d9 20 API calls _abort 95519->95526 95521 6a29ee GetLastError 95521->95518 95522->95501 95523->95499 95524->95513 95525->95512 95526->95521 95527->95506 95529 68fddb 22 API calls 95528->95529 95530 675734 95529->95530 95530->95439 95532 6742bc FindResourceExW 95531->95532 95536 6742d9 95531->95536 95533 6b35ba LoadResource 95532->95533 95532->95536 95534 6b35cf SizeofResource 95533->95534 95533->95536 95535 6b35e3 LockResource 95534->95535 95534->95536 95535->95536 95536->95451 95538 67512e 95537->95538 95539 6b3d90 95537->95539 95543 69ece3 95538->95543 95542->95444 95546 69eaaa 95543->95546 95545 67513c 95545->95451 95549 69eab6 ___scrt_is_nonwritable_in_current_image 95546->95549 95547 69eac2 95559 69f2d9 20 API calls _abort 95547->95559 95548 69eae8 95561 69918d EnterCriticalSection 95548->95561 95549->95547 95549->95548 95552 69eac7 95560 6a27ec 26 API calls __wsopen_s 95552->95560 95553 69eaf4 95562 69ec0a 62 API calls 2 library calls 95553->95562 95556 69eb08 95563 69eb27 LeaveCriticalSection __fread_nolock 95556->95563 95558 69ead2 __wsopen_s 95558->95545 95559->95552 95560->95558 95561->95553 95562->95556 95563->95558 95567 69e8e1 95564->95567 95566 675118 95566->95457 95568 69e8ed ___scrt_is_nonwritable_in_current_image 95567->95568 95569 69e92d 95568->95569 95570 69e900 ___scrt_fastfail 95568->95570 95571 69e925 __wsopen_s 95568->95571 95582 69918d EnterCriticalSection 95569->95582 95580 69f2d9 20 API calls _abort 95570->95580 95571->95566 95574 69e937 95583 69e6f8 38 API calls 4 library calls 95574->95583 95575 69e91a 95581 6a27ec 26 API calls __wsopen_s 95575->95581 95578 69e94e 95584 69e96c LeaveCriticalSection __fread_nolock 95578->95584 95580->95575 95581->95571 95582->95574 95583->95578 95584->95571 95588 69e4e8 95585->95588 95587 6e275d 95587->95459 95591 69e469 95588->95591 95590 69e505 95590->95587 95592 69e478 95591->95592 95593 69e48c 95591->95593 95599 69f2d9 20 API calls _abort 95592->95599 95598 69e488 __alldvrm 95593->95598 95601 6a333f 11 API calls 2 library calls 95593->95601 95596 69e47d 95600 6a27ec 26 API calls __wsopen_s 95596->95600 95598->95590 95599->95596 95600->95598 95601->95598 95603 6e2e7a 95602->95603 95604 6e2d3b 95603->95604 95605 6750f5 40 API calls 95603->95605 95606 6e28fe 27 API calls 95603->95606 95607 67511f 64 API calls 95603->95607 95604->95376 95604->95393 95605->95603 95606->95603 95607->95603 95608->95393 95610 69e684 ___scrt_is_nonwritable_in_current_image 95609->95610 95611 69e6aa 95610->95611 95612 69e695 95610->95612 95621 69e6a5 __wsopen_s 95611->95621 95624 69918d EnterCriticalSection 95611->95624 95622 69f2d9 20 API calls _abort 95612->95622 95614 69e69a 95623 6a27ec 26 API calls __wsopen_s 95614->95623 95617 69e6c6 95625 69e602 95617->95625 95619 69e6d1 95641 69e6ee LeaveCriticalSection __fread_nolock 95619->95641 95621->95414 95622->95614 95623->95621 95624->95617 95626 69e60f 95625->95626 95627 69e624 95625->95627 95642 69f2d9 20 API calls _abort 95626->95642 95631 69e61f 95627->95631 95644 69dc0b 95627->95644 95630 69e614 95643 6a27ec 26 API calls __wsopen_s 95630->95643 95631->95619 95637 69e646 95661 6a862f 95637->95661 95640 6a29c8 _free 20 API calls 95640->95631 95641->95621 95642->95630 95643->95631 95645 69dc1f 95644->95645 95646 69dc23 95644->95646 95650 6a4d7a 95645->95650 95646->95645 95647 69d955 __fread_nolock 26 API calls 95646->95647 95648 69dc43 95647->95648 95676 6a59be 62 API calls 4 library calls 95648->95676 95651 6a4d90 95650->95651 95652 69e640 95650->95652 95651->95652 95653 6a29c8 _free 20 API calls 95651->95653 95654 69d955 95652->95654 95653->95652 95655 69d961 95654->95655 95656 69d976 95654->95656 95677 69f2d9 20 API calls _abort 95655->95677 95656->95637 95658 69d966 95678 6a27ec 26 API calls __wsopen_s 95658->95678 95660 69d971 95660->95637 95662 6a863e 95661->95662 95663 6a8653 95661->95663 95679 69f2c6 20 API calls _abort 95662->95679 95665 6a868e 95663->95665 95670 6a867a 95663->95670 95684 69f2c6 20 API calls _abort 95665->95684 95667 6a8643 95680 69f2d9 20 API calls _abort 95667->95680 95668 6a8693 95685 69f2d9 20 API calls _abort 95668->95685 95681 6a8607 95670->95681 95673 6a869b 95686 6a27ec 26 API calls __wsopen_s 95673->95686 95674 69e64c 95674->95631 95674->95640 95676->95645 95677->95658 95678->95660 95679->95667 95680->95674 95687 6a8585 95681->95687 95683 6a862b 95683->95674 95684->95668 95685->95673 95686->95674 95688 6a8591 ___scrt_is_nonwritable_in_current_image 95687->95688 95698 6a5147 EnterCriticalSection 95688->95698 95690 6a859f 95691 6a85d1 95690->95691 95692 6a85c6 95690->95692 95714 69f2d9 20 API calls _abort 95691->95714 95699 6a86ae 95692->95699 95695 6a85cc 95715 6a85fb LeaveCriticalSection __wsopen_s 95695->95715 95697 6a85ee __wsopen_s 95697->95683 95698->95690 95716 6a53c4 95699->95716 95701 6a86c4 95729 6a5333 21 API calls 3 library calls 95701->95729 95703 6a86be 95703->95701 95705 6a53c4 __wsopen_s 26 API calls 95703->95705 95713 6a86f6 95703->95713 95704 6a871c 95712 6a873e 95704->95712 95730 69f2a3 20 API calls 2 library calls 95704->95730 95707 6a86ed 95705->95707 95706 6a53c4 __wsopen_s 26 API calls 95708 6a8702 CloseHandle 95706->95708 95710 6a53c4 __wsopen_s 26 API calls 95707->95710 95708->95701 95711 6a870e GetLastError 95708->95711 95710->95713 95711->95701 95712->95695 95713->95701 95713->95706 95714->95695 95715->95697 95717 6a53d1 95716->95717 95718 6a53e6 95716->95718 95731 69f2c6 20 API calls _abort 95717->95731 95723 6a540b 95718->95723 95733 69f2c6 20 API calls _abort 95718->95733 95721 6a53d6 95732 69f2d9 20 API calls _abort 95721->95732 95723->95703 95724 6a5416 95734 69f2d9 20 API calls _abort 95724->95734 95725 6a53de 95725->95703 95727 6a541e 95735 6a27ec 26 API calls __wsopen_s 95727->95735 95729->95704 95730->95712 95731->95721 95732->95725 95733->95724 95734->95727 95735->95725 96352 702a55 96360 6e1ebc 96352->96360 96355 702a70 96362 6d39c0 22 API calls 96355->96362 96357 702a87 96358 702a7c 96363 6d417d 22 API calls __fread_nolock 96358->96363 96361 6e1ec3 IsWindow 96360->96361 96361->96355 96361->96357 96362->96358 96363->96357 96364 6a8402 96365 6a8418 96364->96365 96366 6a842a 96365->96366 96368 6b0984 96365->96368 96371 6b0081 96368->96371 96370 6b099f 96370->96366 96372 6b008d ___scrt_is_nonwritable_in_current_image 96371->96372 96373 6b009b 96372->96373 96376 6b00d4 96372->96376 96429 69f2d9 20 API calls _abort 96373->96429 96375 6b00a0 96430 6a27ec 26 API calls __wsopen_s 96375->96430 96382 6b065b 96376->96382 96381 6b00aa __wsopen_s 96381->96370 96432 6b042f 96382->96432 96385 6b068d 96464 69f2c6 20 API calls _abort 96385->96464 96386 6b06a6 96450 6a5221 96386->96450 96389 6b0692 96465 69f2d9 20 API calls _abort 96389->96465 96390 6b06ab 96391 6b06cb 96390->96391 96392 6b06b4 96390->96392 96463 6b039a CreateFileW 96391->96463 96466 69f2c6 20 API calls _abort 96392->96466 96396 6b00f8 96431 6b0121 LeaveCriticalSection __wsopen_s 96396->96431 96397 6b06b9 96467 69f2d9 20 API calls _abort 96397->96467 96398 6b0781 GetFileType 96401 6b078c GetLastError 96398->96401 96402 6b07d3 96398->96402 96400 6b0756 GetLastError 96469 69f2a3 20 API calls 2 library calls 96400->96469 96470 69f2a3 20 API calls 2 library calls 96401->96470 96472 6a516a 21 API calls 3 library calls 96402->96472 96403 6b0704 96403->96398 96403->96400 96468 6b039a CreateFileW 96403->96468 96407 6b079a CloseHandle 96407->96389 96410 6b07c3 96407->96410 96409 6b0749 96409->96398 96409->96400 96471 69f2d9 20 API calls _abort 96410->96471 96411 6b07f4 96413 6b0840 96411->96413 96473 6b05ab 72 API calls 4 library calls 96411->96473 96418 6b086d 96413->96418 96474 6b014d 72 API calls 4 library calls 96413->96474 96414 6b07c8 96414->96389 96417 6b0866 96417->96418 96419 6b087e 96417->96419 96420 6a86ae __wsopen_s 29 API calls 96418->96420 96419->96396 96421 6b08fc CloseHandle 96419->96421 96420->96396 96475 6b039a CreateFileW 96421->96475 96423 6b0927 96424 6b0931 GetLastError 96423->96424 96428 6b095d 96423->96428 96476 69f2a3 20 API calls 2 library calls 96424->96476 96426 6b093d 96477 6a5333 21 API calls 3 library calls 96426->96477 96428->96396 96429->96375 96430->96381 96431->96381 96433 6b0450 96432->96433 96434 6b046a 96432->96434 96433->96434 96485 69f2d9 20 API calls _abort 96433->96485 96478 6b03bf 96434->96478 96437 6b04a2 96447 6b04d1 96437->96447 96487 69f2d9 20 API calls _abort 96437->96487 96438 6b045f 96486 6a27ec 26 API calls __wsopen_s 96438->96486 96442 6b04c6 96488 6a27ec 26 API calls __wsopen_s 96442->96488 96443 6b051f 96444 6b059e 96443->96444 96448 6b0524 96443->96448 96490 6a27fc 11 API calls _abort 96444->96490 96447->96448 96489 69d70d 26 API calls 2 library calls 96447->96489 96448->96385 96448->96386 96449 6b05aa 96451 6a522d ___scrt_is_nonwritable_in_current_image 96450->96451 96493 6a2f5e EnterCriticalSection 96451->96493 96453 6a527b 96494 6a532a 96453->96494 96454 6a5259 96457 6a5000 __wsopen_s 21 API calls 96454->96457 96455 6a5234 96455->96453 96455->96454 96460 6a52c7 EnterCriticalSection 96455->96460 96459 6a525e 96457->96459 96458 6a52a4 __wsopen_s 96458->96390 96459->96453 96497 6a5147 EnterCriticalSection 96459->96497 96460->96453 96461 6a52d4 LeaveCriticalSection 96460->96461 96461->96455 96463->96403 96464->96389 96465->96396 96466->96397 96467->96389 96468->96409 96469->96389 96470->96407 96471->96414 96472->96411 96473->96413 96474->96417 96475->96423 96476->96426 96477->96428 96480 6b03d7 96478->96480 96479 6b03f2 96479->96437 96480->96479 96491 69f2d9 20 API calls _abort 96480->96491 96482 6b0416 96492 6a27ec 26 API calls __wsopen_s 96482->96492 96484 6b0421 96484->96437 96485->96438 96486->96434 96487->96442 96488->96447 96489->96443 96490->96449 96491->96482 96492->96484 96493->96455 96498 6a2fa6 LeaveCriticalSection 96494->96498 96496 6a5331 96496->96458 96497->96453 96498->96496 96499 6b2402 96502 671410 96499->96502 96503 6b24b8 DestroyWindow 96502->96503 96504 67144f mciSendStringW 96502->96504 96516 6b24c4 96503->96516 96505 6716c6 96504->96505 96506 67146b 96504->96506 96505->96506 96508 6716d5 UnregisterHotKey 96505->96508 96507 671479 96506->96507 96506->96516 96535 67182e 96507->96535 96508->96505 96510 6b24d8 96510->96516 96541 676246 CloseHandle 96510->96541 96511 6b24e2 FindClose 96511->96516 96513 6b2509 96517 6b252d 96513->96517 96518 6b251c FreeLibrary 96513->96518 96515 67148e 96515->96517 96525 67149c 96515->96525 96516->96510 96516->96511 96516->96513 96519 6b2541 VirtualFree 96517->96519 96526 671509 96517->96526 96518->96513 96519->96517 96520 6714f8 CoUninitialize 96520->96526 96521 6b2589 96528 6b2598 ISource 96521->96528 96542 6e32eb 6 API calls ISource 96521->96542 96522 671514 96523 671524 96522->96523 96539 671944 VirtualFreeEx CloseHandle 96523->96539 96525->96520 96526->96521 96526->96522 96531 6b2627 96528->96531 96543 6d64d4 22 API calls ISource 96528->96543 96530 67153a 96530->96528 96532 67161f 96530->96532 96531->96531 96532->96531 96540 671876 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 96532->96540 96534 6716c1 96536 67183b 96535->96536 96537 671480 96536->96537 96544 6d702a 22 API calls 96536->96544 96537->96513 96537->96515 96539->96530 96540->96534 96541->96510 96542->96521 96543->96528 96544->96536 95736 671cad SystemParametersInfoW 96545 6c2a00 96555 67d7b0 ISource 96545->96555 96546 67d9d5 96547 67db11 PeekMessageW 96547->96555 96548 67d807 GetInputState 96548->96547 96548->96555 96550 6c1cbe TranslateAcceleratorW 96550->96555 96551 67da04 timeGetTime 96551->96555 96552 67db73 TranslateMessage DispatchMessageW 96553 67db8f PeekMessageW 96552->96553 96553->96555 96554 67dbaf Sleep 96554->96555 96555->96546 96555->96547 96555->96548 96555->96550 96555->96551 96555->96552 96555->96553 96555->96554 96556 6c2b74 Sleep 96555->96556 96558 6c2a51 96555->96558 96560 6c1dda timeGetTime 96555->96560 96573 67ec40 348 API calls 96555->96573 96574 681310 348 API calls 96555->96574 96575 67bf40 348 API calls 96555->96575 96577 67dd50 96555->96577 96584 67dfd0 96555->96584 96607 68edf6 96555->96607 96612 68e551 timeGetTime 96555->96612 96614 6e3a2a 23 API calls 96555->96614 96615 6e359c 82 API calls __wsopen_s 96555->96615 96556->96558 96558->96546 96558->96555 96562 6dd4dc 47 API calls 96558->96562 96563 6c2c0b GetExitCodeProcess 96558->96563 96567 7029bf GetForegroundWindow 96558->96567 96568 6c2ca9 Sleep 96558->96568 96616 6f5658 23 API calls 96558->96616 96617 6de97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96558->96617 96618 68e551 timeGetTime 96558->96618 96613 68e300 23 API calls 96560->96613 96562->96558 96565 6c2c37 CloseHandle 96563->96565 96566 6c2c21 WaitForSingleObject 96563->96566 96565->96558 96566->96555 96566->96565 96567->96558 96568->96555 96573->96555 96574->96555 96575->96555 96578 67dd83 96577->96578 96579 67dd6f 96577->96579 96651 6e359c 82 API calls __wsopen_s 96578->96651 96619 67d260 96579->96619 96582 67dd7a 96582->96555 96583 6c2f75 96583->96583 96585 67e010 96584->96585 96601 67e0dc ISource 96585->96601 96661 690242 5 API calls __Init_thread_wait 96585->96661 96588 6c2fca 96590 67a961 22 API calls 96588->96590 96588->96601 96589 67a961 22 API calls 96589->96601 96593 6c2fe4 96590->96593 96662 6900a3 29 API calls __onexit 96593->96662 96596 6c2fee 96663 6901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96596->96663 96598 67ec40 348 API calls 96598->96601 96601->96589 96601->96598 96602 67e3e1 96601->96602 96603 6804f0 22 API calls 96601->96603 96605 6e359c 82 API calls 96601->96605 96658 67a8c7 22 API calls __fread_nolock 96601->96658 96659 67a81b 41 API calls 96601->96659 96660 68a308 348 API calls 96601->96660 96664 690242 5 API calls __Init_thread_wait 96601->96664 96665 6900a3 29 API calls __onexit 96601->96665 96666 6901f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96601->96666 96667 6f47d4 348 API calls 96601->96667 96668 6f68c1 348 API calls 96601->96668 96602->96555 96603->96601 96605->96601 96608 68ee09 96607->96608 96609 68ee12 96607->96609 96608->96555 96609->96608 96610 68ee36 IsDialogMessageW 96609->96610 96611 6cefaf GetClassLongW 96609->96611 96610->96608 96610->96609 96611->96609 96611->96610 96612->96555 96613->96555 96614->96555 96615->96555 96616->96558 96617->96558 96618->96558 96620 67ec40 348 API calls 96619->96620 96637 67d29d 96620->96637 96621 6c1bc4 96657 6e359c 82 API calls __wsopen_s 96621->96657 96623 67d30b ISource 96623->96582 96624 67d6d5 96624->96623 96635 68fe0b 22 API calls 96624->96635 96625 67d3c3 96625->96624 96627 67d3ce 96625->96627 96626 67d5ff 96628 67d614 96626->96628 96629 6c1bb5 96626->96629 96631 68fddb 22 API calls 96627->96631 96632 68fddb 22 API calls 96628->96632 96656 6f5705 23 API calls 96629->96656 96630 67d4b8 96636 68fe0b 22 API calls 96630->96636 96640 67d3d5 __fread_nolock 96631->96640 96643 67d46a 96632->96643 96634 68fddb 22 API calls 96634->96637 96635->96640 96646 67d429 ISource __fread_nolock 96636->96646 96637->96621 96637->96623 96637->96624 96637->96625 96637->96630 96637->96634 96637->96646 96638 68fddb 22 API calls 96639 67d3f6 96638->96639 96639->96646 96652 67bec0 348 API calls 96639->96652 96640->96638 96640->96639 96642 6c1ba4 96655 6e359c 82 API calls __wsopen_s 96642->96655 96643->96582 96645 671f6f 348 API calls 96645->96646 96646->96626 96646->96642 96646->96643 96646->96645 96647 6c1b7f 96646->96647 96649 6c1b5d 96646->96649 96654 6e359c 82 API calls __wsopen_s 96647->96654 96653 6e359c 82 API calls __wsopen_s 96649->96653 96651->96583 96652->96646 96653->96643 96654->96643 96655->96643 96656->96621 96657->96623 96658->96601 96659->96601 96660->96601 96661->96588 96662->96596 96663->96601 96664->96601 96665->96601 96666->96601 96667->96601 96668->96601 95737 6b2ba5 95738 672b25 95737->95738 95739 6b2baf 95737->95739 95765 672b83 7 API calls 95738->95765 95783 673a5a 95739->95783 95743 6b2bb8 95745 679cb3 22 API calls 95743->95745 95747 6b2bc6 95745->95747 95746 672b2f 95757 672b44 95746->95757 95769 673837 95746->95769 95748 6b2bce 95747->95748 95749 6b2bf5 95747->95749 95790 6733c6 95748->95790 95752 6733c6 22 API calls 95749->95752 95754 6b2bf1 GetForegroundWindow ShellExecuteW 95752->95754 95759 6b2c26 95754->95759 95756 672b5f 95762 672b66 SetCurrentDirectoryW 95756->95762 95757->95756 95779 6730f2 95757->95779 95759->95756 95761 6b2be7 95763 6733c6 22 API calls 95761->95763 95764 672b7a 95762->95764 95763->95754 95800 672cd4 7 API calls 95765->95800 95767 672b2a 95768 672c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 95767->95768 95768->95746 95770 673862 ___scrt_fastfail 95769->95770 95801 674212 95770->95801 95774 673906 Shell_NotifyIconW 95805 673923 95774->95805 95775 6b3386 Shell_NotifyIconW 95776 6738e8 95776->95774 95776->95775 95778 67391c 95778->95757 95780 673154 95779->95780 95781 673104 ___scrt_fastfail 95779->95781 95780->95756 95782 673123 Shell_NotifyIconW 95781->95782 95782->95780 95784 6b1f50 __wsopen_s 95783->95784 95785 673a67 GetModuleFileNameW 95784->95785 95786 679cb3 22 API calls 95785->95786 95787 673a8d 95786->95787 95788 673aa2 23 API calls 95787->95788 95789 673a97 95788->95789 95789->95743 95791 6b30bb 95790->95791 95792 6733dd 95790->95792 95793 68fddb 22 API calls 95791->95793 95836 6733ee 95792->95836 95796 6b30c5 _wcslen 95793->95796 95795 6733e8 95799 676350 22 API calls 95795->95799 95797 68fe0b 22 API calls 95796->95797 95798 6b30fe __fread_nolock 95797->95798 95799->95761 95800->95767 95802 6738b7 95801->95802 95803 6b35a4 95801->95803 95802->95776 95827 6dc874 42 API calls _strftime 95802->95827 95803->95802 95804 6b35ad DestroyIcon 95803->95804 95804->95802 95806 673a13 95805->95806 95807 67393f 95805->95807 95806->95778 95828 676270 95807->95828 95810 6b3393 LoadStringW 95813 6b33ad 95810->95813 95811 67395a 95812 676b57 22 API calls 95811->95812 95814 67396f 95812->95814 95821 673994 ___scrt_fastfail 95813->95821 95834 67a8c7 22 API calls __fread_nolock 95813->95834 95815 6b33c9 95814->95815 95816 67397c 95814->95816 95835 676350 22 API calls 95815->95835 95816->95813 95818 673986 95816->95818 95833 676350 22 API calls 95818->95833 95824 6739f9 Shell_NotifyIconW 95821->95824 95822 6b33d7 95822->95821 95823 6733c6 22 API calls 95822->95823 95825 6b33f9 95823->95825 95824->95806 95826 6733c6 22 API calls 95825->95826 95826->95821 95827->95776 95829 68fe0b 22 API calls 95828->95829 95830 676295 95829->95830 95831 68fddb 22 API calls 95830->95831 95832 67394d 95831->95832 95832->95810 95832->95811 95833->95821 95834->95821 95835->95822 95837 6733fe _wcslen 95836->95837 95838 6b311d 95837->95838 95839 673411 95837->95839 95841 68fddb 22 API calls 95838->95841 95846 67a587 95839->95846 95843 6b3127 95841->95843 95842 67341e __fread_nolock 95842->95795 95844 68fe0b 22 API calls 95843->95844 95845 6b3157 __fread_nolock 95844->95845 95847 67a598 __fread_nolock 95846->95847 95848 67a59d 95846->95848 95847->95842 95849 68fe0b 22 API calls 95848->95849 95850 6bf80f 95848->95850 95849->95847 95850->95850 95851 672e37 95852 67a961 22 API calls 95851->95852 95853 672e4d 95852->95853 95930 674ae3 95853->95930 95855 672e6b 95856 673a5a 24 API calls 95855->95856 95857 672e7f 95856->95857 95858 679cb3 22 API calls 95857->95858 95859 672e8c 95858->95859 95860 674ecb 94 API calls 95859->95860 95861 672ea5 95860->95861 95862 672ead 95861->95862 95863 6b2cb0 95861->95863 95944 67a8c7 22 API calls __fread_nolock 95862->95944 95864 6e2cf9 80 API calls 95863->95864 95865 6b2cc3 95864->95865 95866 6b2ccf 95865->95866 95868 674f39 68 API calls 95865->95868 95872 674f39 68 API calls 95866->95872 95868->95866 95869 672ec3 95945 676f88 22 API calls 95869->95945 95871 672ecf 95873 679cb3 22 API calls 95871->95873 95874 6b2ce5 95872->95874 95875 672edc 95873->95875 95962 673084 22 API calls 95874->95962 95946 67a81b 41 API calls 95875->95946 95877 672eec 95880 679cb3 22 API calls 95877->95880 95879 6b2d02 95963 673084 22 API calls 95879->95963 95882 672f12 95880->95882 95947 67a81b 41 API calls 95882->95947 95883 6b2d1e 95885 673a5a 24 API calls 95883->95885 95886 6b2d44 95885->95886 95964 673084 22 API calls 95886->95964 95887 672f21 95890 67a961 22 API calls 95887->95890 95889 6b2d50 95965 67a8c7 22 API calls __fread_nolock 95889->95965 95891 672f3f 95890->95891 95948 673084 22 API calls 95891->95948 95894 6b2d5e 95966 673084 22 API calls 95894->95966 95895 672f4b 95949 694a28 40 API calls 3 library calls 95895->95949 95898 6b2d6d 95967 67a8c7 22 API calls __fread_nolock 95898->95967 95899 672f59 95899->95874 95900 672f63 95899->95900 95950 694a28 40 API calls 3 library calls 95900->95950 95903 6b2d83 95968 673084 22 API calls 95903->95968 95904 672f6e 95904->95879 95906 672f78 95904->95906 95951 694a28 40 API calls 3 library calls 95906->95951 95907 6b2d90 95909 672f83 95909->95883 95910 672f8d 95909->95910 95952 694a28 40 API calls 3 library calls 95910->95952 95912 672f98 95913 672fdc 95912->95913 95953 673084 22 API calls 95912->95953 95913->95898 95914 672fe8 95913->95914 95914->95907 95956 6763eb 22 API calls 95914->95956 95916 672fbf 95954 67a8c7 22 API calls __fread_nolock 95916->95954 95919 672ff8 95957 676a50 22 API calls 95919->95957 95920 672fcd 95955 673084 22 API calls 95920->95955 95923 673006 95958 6770b0 23 API calls 95923->95958 95927 673021 95928 673065 95927->95928 95959 676f88 22 API calls 95927->95959 95960 6770b0 23 API calls 95927->95960 95961 673084 22 API calls 95927->95961 95931 674af0 __wsopen_s 95930->95931 95932 676b57 22 API calls 95931->95932 95933 674b22 95931->95933 95932->95933 95940 674b58 95933->95940 95969 674c6d 95933->95969 95935 679cb3 22 API calls 95937 674c52 95935->95937 95936 679cb3 22 API calls 95936->95940 95939 67515f 22 API calls 95937->95939 95938 674c6d 22 API calls 95938->95940 95942 674c5e 95939->95942 95940->95936 95940->95938 95941 67515f 22 API calls 95940->95941 95943 674c29 95940->95943 95941->95940 95942->95855 95943->95935 95943->95942 95944->95869 95945->95871 95946->95877 95947->95887 95948->95895 95949->95899 95950->95904 95951->95909 95952->95912 95953->95916 95954->95920 95955->95913 95956->95919 95957->95923 95958->95927 95959->95927 95960->95927 95961->95927 95962->95879 95963->95883 95964->95889 95965->95894 95966->95898 95967->95903 95968->95907 95970 67aec9 22 API calls 95969->95970 95971 674c78 95970->95971 95971->95933 96669 68f698 96670 68f6a2 96669->96670 96671 68f6c3 96669->96671 96678 67af8a 96670->96678 96676 6cf2f8 96671->96676 96686 6d4d4a 22 API calls ISource 96671->96686 96674 68f6b2 96675 67af8a 22 API calls 96674->96675 96677 68f6c2 96675->96677 96679 67af98 96678->96679 96685 67afc0 ISource 96678->96685 96680 67afa6 96679->96680 96681 67af8a 22 API calls 96679->96681 96682 67afac 96680->96682 96683 67af8a 22 API calls 96680->96683 96681->96680 96682->96685 96687 67b090 96682->96687 96683->96682 96685->96674 96686->96671 96688 67b09b ISource 96687->96688 96690 67b0d6 ISource 96688->96690 96691 68ce17 22 API calls ISource 96688->96691 96690->96685 96691->96690 96692 673156 96695 673170 96692->96695 96696 673187 96695->96696 96697 67318c 96696->96697 96698 6731eb 96696->96698 96735 6731e9 96696->96735 96702 673265 PostQuitMessage 96697->96702 96703 673199 96697->96703 96700 6b2dfb 96698->96700 96701 6731f1 96698->96701 96699 6731d0 DefWindowProcW 96726 67316a 96699->96726 96750 6718e2 10 API calls 96700->96750 96704 67321d SetTimer RegisterWindowMessageW 96701->96704 96705 6731f8 96701->96705 96702->96726 96707 6731a4 96703->96707 96708 6b2e7c 96703->96708 96712 673246 CreatePopupMenu 96704->96712 96704->96726 96709 673201 KillTimer 96705->96709 96710 6b2d9c 96705->96710 96713 6b2e68 96707->96713 96714 6731ae 96707->96714 96753 6dbf30 34 API calls ___scrt_fastfail 96708->96753 96718 6730f2 Shell_NotifyIconW 96709->96718 96716 6b2da1 96710->96716 96717 6b2dd7 MoveWindow 96710->96717 96711 6b2e1c 96751 68e499 42 API calls 96711->96751 96712->96726 96740 6dc161 96713->96740 96721 6731b9 96714->96721 96724 6b2e4d 96714->96724 96722 6b2da7 96716->96722 96723 6b2dc6 SetFocus 96716->96723 96717->96726 96725 673214 96718->96725 96727 6731c4 96721->96727 96728 673253 96721->96728 96722->96727 96730 6b2db0 96722->96730 96723->96726 96724->96699 96752 6d0ad7 22 API calls 96724->96752 96747 673c50 DeleteObject DestroyWindow 96725->96747 96727->96699 96737 6730f2 Shell_NotifyIconW 96727->96737 96748 67326f 44 API calls ___scrt_fastfail 96728->96748 96729 6b2e8e 96729->96699 96729->96726 96749 6718e2 10 API calls 96730->96749 96735->96699 96736 673263 96736->96726 96738 6b2e41 96737->96738 96739 673837 49 API calls 96738->96739 96739->96735 96741 6dc179 ___scrt_fastfail 96740->96741 96742 6dc276 96740->96742 96743 673923 24 API calls 96741->96743 96742->96726 96745 6dc1a0 96743->96745 96744 6dc25f KillTimer SetTimer 96744->96742 96745->96744 96746 6dc251 Shell_NotifyIconW 96745->96746 96746->96744 96747->96726 96748->96736 96749->96726 96750->96711 96751->96727 96752->96735 96753->96729 95972 6903fb 95973 690407 ___scrt_is_nonwritable_in_current_image 95972->95973 96001 68feb1 95973->96001 95975 69040e 95976 690561 95975->95976 95979 690438 95975->95979 96031 69083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95976->96031 95978 690568 96024 694e52 95978->96024 95990 690477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95979->95990 96012 6a247d 95979->96012 95986 690457 95988 6904d8 96020 690959 95988->96020 95990->95988 96027 694e1a 38 API calls 3 library calls 95990->96027 95992 6904de 95993 6904f3 95992->95993 96028 690992 GetModuleHandleW 95993->96028 95995 6904fa 95995->95978 95996 6904fe 95995->95996 95997 690507 95996->95997 96029 694df5 28 API calls _abort 95996->96029 96030 690040 13 API calls 2 library calls 95997->96030 96000 69050f 96000->95986 96002 68feba 96001->96002 96033 690698 IsProcessorFeaturePresent 96002->96033 96004 68fec6 96034 692c94 10 API calls 3 library calls 96004->96034 96006 68fecb 96011 68fecf 96006->96011 96035 6a2317 96006->96035 96009 68fee6 96009->95975 96011->95975 96013 6a2494 96012->96013 96014 690a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96013->96014 96015 690451 96014->96015 96015->95986 96016 6a2421 96015->96016 96017 6a2450 96016->96017 96018 690a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96017->96018 96019 6a2479 96018->96019 96019->95990 96094 692340 96020->96094 96023 69097f 96023->95992 96096 694bcf 96024->96096 96027->95988 96028->95995 96029->95997 96030->96000 96031->95978 96033->96004 96034->96006 96039 6ad1f6 96035->96039 96038 692cbd 8 API calls 3 library calls 96038->96011 96040 6ad213 96039->96040 96043 6ad20f 96039->96043 96040->96043 96045 6a4bfb 96040->96045 96042 68fed8 96042->96009 96042->96038 96057 690a8c 96043->96057 96046 6a4c07 ___scrt_is_nonwritable_in_current_image 96045->96046 96064 6a2f5e EnterCriticalSection 96046->96064 96048 6a4c0e 96065 6a50af 96048->96065 96050 6a4c1d 96056 6a4c2c 96050->96056 96078 6a4a8f 29 API calls 96050->96078 96053 6a4c27 96079 6a4b45 GetStdHandle GetFileType 96053->96079 96054 6a4c3d __wsopen_s 96054->96040 96080 6a4c48 LeaveCriticalSection _abort 96056->96080 96058 690a95 96057->96058 96059 690a97 IsProcessorFeaturePresent 96057->96059 96058->96042 96061 690c5d 96059->96061 96093 690c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96061->96093 96063 690d40 96063->96042 96064->96048 96066 6a50bb ___scrt_is_nonwritable_in_current_image 96065->96066 96067 6a50c8 96066->96067 96068 6a50df 96066->96068 96089 69f2d9 20 API calls _abort 96067->96089 96081 6a2f5e EnterCriticalSection 96068->96081 96071 6a50cd 96090 6a27ec 26 API calls __wsopen_s 96071->96090 96073 6a5117 96091 6a513e LeaveCriticalSection _abort 96073->96091 96074 6a50d7 __wsopen_s 96074->96050 96075 6a50eb 96075->96073 96082 6a5000 96075->96082 96078->96053 96079->96056 96080->96054 96081->96075 96083 6a4c7d pre_c_initialization 20 API calls 96082->96083 96085 6a5012 96083->96085 96084 6a501f 96086 6a29c8 _free 20 API calls 96084->96086 96085->96084 96092 6a3405 11 API calls 2 library calls 96085->96092 96088 6a5071 96086->96088 96088->96075 96089->96071 96090->96074 96091->96074 96092->96085 96093->96063 96095 69096c GetStartupInfoW 96094->96095 96095->96023 96097 694bdb IsInExceptionSpec 96096->96097 96098 694be2 96097->96098 96099 694bf4 96097->96099 96135 694d29 GetModuleHandleW 96098->96135 96120 6a2f5e EnterCriticalSection 96099->96120 96102 694be7 96102->96099 96136 694d6d GetModuleHandleExW 96102->96136 96103 694c99 96124 694cd9 96103->96124 96106 694c70 96109 694c88 96106->96109 96115 6a2421 _abort 5 API calls 96106->96115 96116 6a2421 _abort 5 API calls 96109->96116 96110 694ce2 96144 6b1d29 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 96110->96144 96111 694cb6 96127 694ce8 96111->96127 96115->96109 96116->96103 96117 694bfb 96117->96103 96117->96106 96121 6a21a8 96117->96121 96120->96117 96145 6a1ee1 96121->96145 96164 6a2fa6 LeaveCriticalSection 96124->96164 96126 694cb2 96126->96110 96126->96111 96165 6a360c 96127->96165 96130 694d16 96133 694d6d _abort 8 API calls 96130->96133 96131 694cf6 GetPEB 96131->96130 96132 694d06 GetCurrentProcess TerminateProcess 96131->96132 96132->96130 96134 694d1e ExitProcess 96133->96134 96135->96102 96137 694dba 96136->96137 96138 694d97 GetProcAddress 96136->96138 96139 694dc9 96137->96139 96140 694dc0 FreeLibrary 96137->96140 96141 694dac 96138->96141 96142 690a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96139->96142 96140->96139 96141->96137 96143 694bf3 96142->96143 96143->96099 96148 6a1e90 96145->96148 96147 6a1f05 96147->96106 96149 6a1e9c ___scrt_is_nonwritable_in_current_image 96148->96149 96156 6a2f5e EnterCriticalSection 96149->96156 96151 6a1eaa 96157 6a1f31 96151->96157 96155 6a1ec8 __wsopen_s 96155->96147 96156->96151 96158 6a1f59 96157->96158 96159 6a1f51 96157->96159 96158->96159 96162 6a29c8 _free 20 API calls 96158->96162 96160 690a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96159->96160 96161 6a1eb7 96160->96161 96163 6a1ed5 LeaveCriticalSection _abort 96161->96163 96162->96159 96163->96155 96164->96126 96166 6a3631 96165->96166 96167 6a3627 96165->96167 96172 6a2fd7 5 API calls 2 library calls 96166->96172 96169 690a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 96167->96169 96170 694cf2 96169->96170 96170->96130 96170->96131 96171 6a3648 96171->96167 96172->96171 96754 6cd35f 96755 6cd30c 96754->96755 96757 6ddf27 SHGetFolderPathW 96755->96757 96758 676b57 22 API calls 96757->96758 96759 6ddf54 96758->96759 96759->96755 96760 6cd79f 96761 673b1c 3 API calls 96760->96761 96762 6cd7bf 96761->96762 96765 679c6e 22 API calls 96762->96765 96764 6cd7ef 96764->96764 96765->96764 96173 67fe73 96180 68ceb1 96173->96180 96175 67fe89 96189 68cf92 96175->96189 96177 67feb3 96201 6e359c 82 API calls __wsopen_s 96177->96201 96179 6c4ab8 96181 68cebf 96180->96181 96182 68ced2 96180->96182 96183 67aceb 23 API calls 96181->96183 96184 68cf05 96182->96184 96185 68ced7 96182->96185 96188 68cec9 96183->96188 96186 67aceb 23 API calls 96184->96186 96187 68fddb 22 API calls 96185->96187 96186->96188 96187->96188 96188->96175 96190 676270 22 API calls 96189->96190 96191 68cfc9 96190->96191 96192 68cffa 96191->96192 96193 679cb3 22 API calls 96191->96193 96192->96177 96194 6cd166 96193->96194 96202 676350 22 API calls 96194->96202 96196 6cd171 96203 68d2f0 40 API calls 96196->96203 96198 6cd184 96199 67aceb 23 API calls 96198->96199 96200 6cd188 96198->96200 96199->96200 96200->96200 96201->96179 96202->96196 96203->96198 96204 671033 96209 674c91 96204->96209 96208 671042 96210 67a961 22 API calls 96209->96210 96211 674cff 96210->96211 96217 673af0 96211->96217 96213 674d9c 96214 671038 96213->96214 96220 6751f7 22 API calls __fread_nolock 96213->96220 96216 6900a3 29 API calls __onexit 96214->96216 96216->96208 96221 673b1c 96217->96221 96220->96213 96222 673b0f 96221->96222 96223 673b29 96221->96223 96222->96213 96223->96222 96224 673b30 RegOpenKeyExW 96223->96224 96224->96222 96225 673b4a RegQueryValueExW 96224->96225 96226 673b80 RegCloseKey 96225->96226 96227 673b6b 96225->96227 96226->96222 96227->96226 96228 6cd27a GetUserNameW 96229 6cd292 96228->96229 96766 6cd29a 96769 6dde27 WSAStartup 96766->96769 96768 6cd2a5 96770 6dde50 gethostname gethostbyname 96769->96770 96772 6ddee6 96769->96772 96770->96772 96773 6dde73 __fread_nolock 96770->96773 96771 6dde87 96775 6ddede WSACleanup 96771->96775 96772->96768 96773->96771 96774 6ddea5 inet_ntoa 96773->96774 96776 6ddebe _strcat 96774->96776 96775->96772 96778 6debd1 96776->96778 96779 6debe0 _strlen 96778->96779 96780 6dec37 96778->96780 96781 6debef MultiByteToWideChar 96779->96781 96780->96771 96781->96780 96782 6dec04 96781->96782 96783 68fe0b 22 API calls 96782->96783 96784 6dec20 MultiByteToWideChar 96783->96784 96784->96780 96230 6c3f75 96231 68ceb1 23 API calls 96230->96231 96232 6c3f8b 96231->96232 96233 6c4006 96232->96233 96241 68e300 23 API calls 96232->96241 96235 67bf40 348 API calls 96233->96235 96239 6c4052 96235->96239 96237 6c3fe6 96237->96239 96242 6e1abf 22 API calls 96237->96242 96238 6c4a88 96239->96238 96243 6e359c 82 API calls __wsopen_s 96239->96243 96241->96237 96242->96233 96243->96238 96785 6cd255 96786 673b1c 3 API calls 96785->96786 96787 6cd275 96786->96787 96787->96787 96244 67defc 96247 671d6f 96244->96247 96246 67df07 96248 671d8c 96247->96248 96256 671f6f 96248->96256 96250 671da6 96251 6b2759 96250->96251 96253 671e36 96250->96253 96254 671dc2 96250->96254 96260 6e359c 82 API calls __wsopen_s 96251->96260 96253->96246 96254->96253 96259 67289a 23 API calls 96254->96259 96257 67ec40 348 API calls 96256->96257 96258 671f98 96257->96258 96258->96250 96259->96253 96260->96253 96788 67105b 96793 67344d 96788->96793 96790 67106a 96824 6900a3 29 API calls __onexit 96790->96824 96792 671074 96794 67345d __wsopen_s 96793->96794 96795 67a961 22 API calls 96794->96795 96796 673513 96795->96796 96797 673a5a 24 API calls 96796->96797 96798 67351c 96797->96798 96825 673357 96798->96825 96801 6733c6 22 API calls 96802 673535 96801->96802 96803 67515f 22 API calls 96802->96803 96804 673544 96803->96804 96805 67a961 22 API calls 96804->96805 96806 67354d 96805->96806 96807 67a6c3 22 API calls 96806->96807 96808 673556 RegOpenKeyExW 96807->96808 96809 6b3176 RegQueryValueExW 96808->96809 96814 673578 96808->96814 96810 6b320c RegCloseKey 96809->96810 96811 6b3193 96809->96811 96810->96814 96823 6b321e _wcslen 96810->96823 96812 68fe0b 22 API calls 96811->96812 96813 6b31ac 96812->96813 96815 675722 22 API calls 96813->96815 96814->96790 96816 6b31b7 RegQueryValueExW 96815->96816 96818 6b31d4 96816->96818 96820 6b31ee ISource 96816->96820 96817 674c6d 22 API calls 96817->96823 96819 676b57 22 API calls 96818->96819 96819->96820 96820->96810 96821 679cb3 22 API calls 96821->96823 96822 67515f 22 API calls 96822->96823 96823->96814 96823->96817 96823->96821 96823->96822 96824->96792 96826 6b1f50 __wsopen_s 96825->96826 96827 673364 GetFullPathNameW 96826->96827 96828 673386 96827->96828 96829 676b57 22 API calls 96828->96829 96830 6733a4 96829->96830 96830->96801 96831 671098 96836 6742de 96831->96836 96835 6710a7 96837 67a961 22 API calls 96836->96837 96838 6742f5 GetVersionExW 96837->96838 96839 676b57 22 API calls 96838->96839 96840 674342 96839->96840 96841 6793b2 22 API calls 96840->96841 96845 674378 96840->96845 96842 67436c 96841->96842 96844 6737a0 22 API calls 96842->96844 96843 67441b GetCurrentProcess IsWow64Process 96846 674437 96843->96846 96844->96845 96845->96843 96849 6b37df 96845->96849 96847 67444f LoadLibraryA 96846->96847 96848 6b3824 GetSystemInfo 96846->96848 96850 674460 GetProcAddress 96847->96850 96851 67449c GetSystemInfo 96847->96851 96850->96851 96853 674470 GetNativeSystemInfo 96850->96853 96852 674476 96851->96852 96854 67109d 96852->96854 96855 67447a FreeLibrary 96852->96855 96853->96852 96856 6900a3 29 API calls __onexit 96854->96856 96855->96854 96856->96835

                                                                                                                                                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                                                                                                                                                Function 006742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 389 6742de-67434d call 67a961 GetVersionExW call 676b57 394 674353 389->394 395 6b3617-6b362a 389->395 397 674355-674357 394->397 396 6b362b-6b362f 395->396 398 6b3632-6b363e 396->398 399 6b3631 396->399 400 67435d-6743bc call 6793b2 call 6737a0 397->400 401 6b3656 397->401 398->396 403 6b3640-6b3642 398->403 399->398 417 6b37df-6b37e6 400->417 418 6743c2-6743c4 400->418 406 6b365d-6b3660 401->406 403->397 405 6b3648-6b364f 403->405 405->395 410 6b3651 405->410 407 67441b-674435 GetCurrentProcess IsWow64Process 406->407 408 6b3666-6b36a8 406->408 413 674437 407->413 414 674494-67449a 407->414 408->407 411 6b36ae-6b36b1 408->411 410->401 415 6b36db-6b36e5 411->415 416 6b36b3-6b36bd 411->416 419 67443d-674449 413->419 414->419 423 6b36f8-6b3702 415->423 424 6b36e7-6b36f3 415->424 420 6b36ca-6b36d6 416->420 421 6b36bf-6b36c5 416->421 425 6b37e8 417->425 426 6b3806-6b3809 417->426 418->406 422 6743ca-6743dd 418->422 427 67444f-67445e LoadLibraryA 419->427 428 6b3824-6b3828 GetSystemInfo 419->428 420->407 421->407 429 6743e3-6743e5 422->429 430 6b3726-6b372f 422->430 432 6b3715-6b3721 423->432 433 6b3704-6b3710 423->433 424->407 431 6b37ee 425->431 434 6b380b-6b381a 426->434 435 6b37f4-6b37fc 426->435 436 674460-67446e GetProcAddress 427->436 437 67449c-6744a6 GetSystemInfo 427->437 439 6b374d-6b3762 429->439 440 6743eb-6743ee 429->440 441 6b373c-6b3748 430->441 442 6b3731-6b3737 430->442 431->435 432->407 433->407 434->431 443 6b381c-6b3822 434->443 435->426 436->437 444 674470-674474 GetNativeSystemInfo 436->444 438 674476-674478 437->438 445 674481-674493 438->445 446 67447a-67447b FreeLibrary 438->446 449 6b376f-6b377b 439->449 450 6b3764-6b376a 439->450 447 6743f4-67440f 440->447 448 6b3791-6b3794 440->448 441->407 442->407 443->435 444->438 446->445 452 674415 447->452 453 6b3780-6b378c 447->453 448->407 451 6b379a-6b37c1 448->451 449->407 450->407 454 6b37ce-6b37da 451->454 455 6b37c3-6b37c9 451->455 452->407 453->407 454->407 455->407
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetVersionExW.KERNEL32(?), ref: 0067430D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?,0070CB64,00000000,?,?), ref: 00674422
                                                                                                                                                                                                                                                                                                                                                                                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00674429
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00674454
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00674466
                                                                                                                                                                                                                                                                                                                                                                                • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00674474
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0067447B
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemInfo.KERNEL32(?,?,?), ref: 006744A0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3290436268-3101561225
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7c17c820c89ce531cc86eefb84a8e054b144d3e397acbd4726a11a2028537fbe
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 52e149f21108ddbf099263fbf9a3d0187ab8dd29004b9816eafda8a823108947
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c17c820c89ce531cc86eefb84a8e054b144d3e397acbd4726a11a2028537fbe
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CFA1D5BA90A2D0CFC712EF697C441E47FE6AB27340B84C5AAD04593B26E72C45C5DB2D
                                                                                                                                                                                                                                                                                                                                                                                Function 006742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 1977 6742a2-6742ba CreateStreamOnHGlobal 1978 6742bc-6742d3 FindResourceExW 1977->1978 1979 6742da-6742dd 1977->1979 1980 6b35ba-6b35c9 LoadResource 1978->1980 1981 6742d9 1978->1981 1980->1981 1982 6b35cf-6b35dd SizeofResource 1980->1982 1981->1979 1982->1981 1983 6b35e3-6b35ee LockResource 1982->1983 1983->1981 1984 6b35f4-6b3612 1983->1984 1984->1981
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006750AA,?,?,00000000,00000000), ref: 006742B2
                                                                                                                                                                                                                                                                                                                                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006750AA,?,?,00000000,00000000), ref: 006742C9
                                                                                                                                                                                                                                                                                                                                                                                • LoadResource.KERNEL32(?,00000000,?,?,006750AA,?,?,00000000,00000000,?,?,?,?,?,?,00674F20), ref: 006B35BE
                                                                                                                                                                                                                                                                                                                                                                                • SizeofResource.KERNEL32(?,00000000,?,?,006750AA,?,?,00000000,00000000,?,?,?,?,?,?,00674F20), ref: 006B35D3
                                                                                                                                                                                                                                                                                                                                                                                • LockResource.KERNEL32(006750AA,?,?,006750AA,?,?,00000000,00000000,?,?,?,?,?,?,00674F20,?), ref: 006B35E6
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SCRIPT
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3051347437-3967369404
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 09c22560da4813123edb778686bc1f1086ec5c3f0307fd89e21123ff066955f1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9e4b9424ddac63c7398e9c0908acb99ea4d8024a172b5669c6cffd9734dec91b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 09c22560da4813123edb778686bc1f1086ec5c3f0307fd89e21123ff066955f1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4117C71200700FFD7228B65DC49F677BBAEFC5B51F208269F41696690DF71D9108A20
                                                                                                                                                                                                                                                                                                                                                                                Function 006B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00672B6B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00741418,?,00672E7F,?,?,?,00000000), ref: 00673A78
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(runas,?,?,?,?,?,00732224), ref: 006B2C10
                                                                                                                                                                                                                                                                                                                                                                                • ShellExecuteW.SHELL32(00000000,?,?,00732224), ref: 006B2C17
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: runas
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 448630720-4000483414
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2fefa127cb9df04fac42a62a94a585efb863aa25d6626e587d5daf311eb707ca
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: caf974f5749ec12c22537966149ce0d18662c3108d1e8569ddd835dcc32fab19
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2fefa127cb9df04fac42a62a94a585efb863aa25d6626e587d5daf311eb707ca
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF113631208382AAC754FF20D862DBE7BE6AF91710F44C52DF08A021A3CF34858AD71A
                                                                                                                                                                                                                                                                                                                                                                                Function 006DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 006DD501
                                                                                                                                                                                                                                                                                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 006DD50F
                                                                                                                                                                                                                                                                                                                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 006DD52F
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 006DD5DC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 420147892-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6ef44877694d7e01235979bbb21013709340e760973bf120a1ff95e9d0832773
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a5fb10a84d72fb053baad1cdb4e4205b6868bbf83f9ae94bcf6fd3e2293a1f89
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6ef44877694d7e01235979bbb21013709340e760973bf120a1ff95e9d0832773
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A31AF710083009FD305EF64D881AAFBBF9EF99354F104A2DF585862A2EB719945CBA3
                                                                                                                                                                                                                                                                                                                                                                                Function 006DDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(?,006B5222), ref: 006DDBCE
                                                                                                                                                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 006DDBDD
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 006DDBEE
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006DDBFA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2695905019-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 387a3348ebbe473b8a6ab47164634f4d3b75fc3def0ce2447272d8a145c8206e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d9ef9d96400a50b1123b25e674410854f8a248ac0ff477940c2f42bbd0139de6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 387a3348ebbe473b8a6ab47164634f4d3b75fc3def0ce2447272d8a145c8206e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1F0A0B082091497D2217B78AC0E8BA376DAE01374F208703F836C22E1EFB459558699
                                                                                                                                                                                                                                                                                                                                                                                Function 006CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LocalTime
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %.3d$X64
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 481472006-1077770165
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b10101e022b303dd3df20ad27e5c0d8e3a4548e7513fb8b96beda8a34b2a9894
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 59b78aff741de97555ee5f93eef72ec09cebcbcf80b70c40d54288efb41f7648
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b10101e022b303dd3df20ad27e5c0d8e3a4548e7513fb8b96beda8a34b2a9894
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8D012A1C08108E9CB90A7D0CC45EBAB3BDFB09301F50857AFA0692040D63CC64AAB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00694CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(006A28E9,?,00694CBE,006A28E9,007388B8,0000000C,00694E15,006A28E9,00000002,00000000,?,006A28E9), ref: 00694D09
                                                                                                                                                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,?,00694CBE,006A28E9,007388B8,0000000C,00694E15,006A28E9,00000002,00000000,?,006A28E9), ref: 00694D10
                                                                                                                                                                                                                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00694D22
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1703294689-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 81d29a6bec7a64e00d76646563cf800c31f5a1e426e4fe4410559c3f8be1d9f1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 93abf86b25240ad99dc6149780b89db51434a33b153d541173bdc78987ee916f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81d29a6bec7a64e00d76646563cf800c31f5a1e426e4fe4410559c3f8be1d9f1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACE0B635010148EBCF16AF54DD09E987B6EFF46785B108218FC058A622CF39DD46CA88
                                                                                                                                                                                                                                                                                                                                                                                Function 006CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 006CD28C
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: NameUser
                                                                                                                                                                                                                                                                                                                                                                                • String ID: X64
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2645101109-893830106
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8333d096d98187048731626b2ffcf5f083eaf4eba3e5bdeda648990237d3d822
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6c5b9659df5c06ee589bf171a83f080a7d45e13bd226e594cca04ace2cb1a11a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8333d096d98187048731626b2ffcf5f083eaf4eba3e5bdeda648990237d3d822
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32D0C9B480111DEACB94DB90DC88DE9B37CFB04305F104355F106A2040DB34964A8F20
                                                                                                                                                                                                                                                                                                                                                                                Function 0067BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: p#t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3964851224-1114731270
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 75e83abd84bd931e8fca93a551aebae39e6b7ddaa910cf6086b1a286df2fd439
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 82b749ec3eb11f2f018bebd0de1354f970a53627a208d7d6bf734a9780d76847
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 75e83abd84bd931e8fca93a551aebae39e6b7ddaa910cf6086b1a286df2fd439
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23A25770608301DFD764DF28C480B6ABBE2FF89314F14896DE99A8B352D771E945CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 006FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 0 6faff9-6fb056 call 692340 3 6fb058-6fb06b call 67b567 0->3 4 6fb094-6fb098 0->4 12 6fb06d-6fb092 call 67b567 * 2 3->12 13 6fb0c8 3->13 5 6fb0dd-6fb0e0 4->5 6 6fb09a-6fb0bb call 67b567 * 2 4->6 9 6fb0f5-6fb119 call 677510 call 677620 5->9 10 6fb0e2-6fb0e5 5->10 30 6fb0bf-6fb0c4 6->30 32 6fb11f-6fb178 call 677510 call 677620 call 677510 call 677620 call 677510 call 677620 9->32 33 6fb1d8-6fb1e0 9->33 14 6fb0e8-6fb0ed call 67b567 10->14 12->30 21 6fb0cb-6fb0cf 13->21 14->9 22 6fb0d9-6fb0db 21->22 23 6fb0d1-6fb0d7 21->23 22->5 22->9 23->14 30->5 34 6fb0c6 30->34 82 6fb17a-6fb195 call 677510 call 677620 32->82 83 6fb1a6-6fb1d6 GetSystemDirectoryW call 68fe0b GetSystemDirectoryW 32->83 35 6fb20a-6fb238 GetCurrentDirectoryW call 68fe0b GetCurrentDirectoryW 33->35 36 6fb1e2-6fb1fd call 677510 call 677620 33->36 34->21 44 6fb23c 35->44 36->35 53 6fb1ff-6fb208 call 694963 36->53 47 6fb240-6fb244 44->47 50 6fb246-6fb270 call 679c6e * 3 47->50 51 6fb275-6fb285 call 6e00d9 47->51 50->51 64 6fb28b-6fb2e1 call 6e07c0 call 6e06e6 call 6e05a7 51->64 65 6fb287-6fb289 51->65 53->35 53->51 68 6fb2ee-6fb2f2 64->68 96 6fb2e3 64->96 65->68 70 6fb39a-6fb3be CreateProcessW 68->70 71 6fb2f8-6fb321 call 6d11c8 68->71 75 6fb3c1-6fb3d4 call 68fe14 * 2 70->75 87 6fb32a call 6d14ce 71->87 88 6fb323-6fb328 call 6d1201 71->88 101 6fb42f-6fb43d CloseHandle 75->101 102 6fb3d6-6fb3e8 75->102 82->83 109 6fb197-6fb1a0 call 694963 82->109 83->44 100 6fb32f-6fb33c call 694963 87->100 88->100 96->68 111 6fb33e-6fb345 100->111 112 6fb347-6fb357 call 694963 100->112 105 6fb43f-6fb444 101->105 106 6fb49c 101->106 107 6fb3ed-6fb3fc 102->107 108 6fb3ea 102->108 113 6fb446-6fb44c CloseHandle 105->113 114 6fb451-6fb456 105->114 117 6fb4a0-6fb4a4 106->117 115 6fb3fe 107->115 116 6fb401-6fb42a GetLastError call 67630c call 67cfa0 107->116 108->107 109->47 109->83 111->111 111->112 134 6fb359-6fb360 112->134 135 6fb362-6fb372 call 694963 112->135 113->114 121 6fb458-6fb45e CloseHandle 114->121 122 6fb463-6fb468 114->122 115->116 130 6fb4e5-6fb4f6 call 6e0175 116->130 124 6fb4a6-6fb4b0 117->124 125 6fb4b2-6fb4bc 117->125 121->122 127 6fb46a-6fb470 CloseHandle 122->127 128 6fb475-6fb49a call 6e09d9 call 6fb536 122->128 124->130 131 6fb4be 125->131 132 6fb4c4-6fb4e3 call 67cfa0 CloseHandle 125->132 127->128 128->117 131->132 132->130 134->134 134->135 146 6fb37d-6fb398 call 68fe14 * 3 135->146 147 6fb374-6fb37b 135->147 146->75 147->146 147->147
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006FB198
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006FB1B0
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006FB1D4
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006FB200
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006FB214
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006FB236
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006FB332
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006E05A7: GetStdHandle.KERNEL32(000000F6), ref: 006E05C6
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006FB34B
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006FB366
                                                                                                                                                                                                                                                                                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006FB3B6
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000), ref: 006FB407
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 006FB439
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 006FB44A
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 006FB45C
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 006FB46E
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 006FB4E3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2178637699-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b400a9f27cfb1930ded270bffe5d2cd6877e6731038b4a3fc6ea87b530f9d135
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 53031fc71143cad1ecf6eb795f298e7a4db1b32d07f2927e334e9d183f47b268
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b400a9f27cfb1930ded270bffe5d2cd6877e6731038b4a3fc6ea87b530f9d135
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3F198316083049FDB54EF24C891B6EBBE6AF85314F18855DF9898B3A2DB31EC41CB56
                                                                                                                                                                                                                                                                                                                                                                                Function 0067D730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetInputState.USER32 ref: 0067D807
                                                                                                                                                                                                                                                                                                                                                                                • timeGetTime.WINMM ref: 0067DA07
                                                                                                                                                                                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0067DB28
                                                                                                                                                                                                                                                                                                                                                                                • TranslateMessage.USER32(?), ref: 0067DB7B
                                                                                                                                                                                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 0067DB89
                                                                                                                                                                                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0067DB9F
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 0067DBB1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2189390790-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 68f29b66e9894c19c7bb198f9c961eed6e8fa6e75db1ff7412f12b619d3fa337
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8823c9a292711d681f2be4c5317473d5982b52850e04776ef02f9a26d6165d8b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 68f29b66e9894c19c7bb198f9c961eed6e8fa6e75db1ff7412f12b619d3fa337
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2842EE70604242DFD729DB24C854FBAB7B2FF86304F148A1EE95A87391C774E885CB96
                                                                                                                                                                                                                                                                                                                                                                                Function 00672CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00672D07
                                                                                                                                                                                                                                                                                                                                                                                • RegisterClassExW.USER32(00000030), ref: 00672D31
                                                                                                                                                                                                                                                                                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00672D42
                                                                                                                                                                                                                                                                                                                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 00672D5F
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00672D6F
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(000000A9), ref: 00672D85
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00672D94
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2914291525-1005189915
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c6af64556f07bcc3b390e89901f9bce4a967cefee4e0f1052c8a151cf6c21d27
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0bc84db1221c8c6c3c14aa39828348d366dce0043238d788691fd9088901b950
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6af64556f07bcc3b390e89901f9bce4a967cefee4e0f1052c8a151cf6c21d27
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A321E3B5911248EFDB01EFA4EC49BDDBBB4FB09700F00821AF511A62A0DBB91584CF98
                                                                                                                                                                                                                                                                                                                                                                                Function 006B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 457 6b065b-6b068b call 6b042f 460 6b068d-6b0698 call 69f2c6 457->460 461 6b06a6-6b06b2 call 6a5221 457->461 466 6b069a-6b06a1 call 69f2d9 460->466 467 6b06cb-6b0714 call 6b039a 461->467 468 6b06b4-6b06c9 call 69f2c6 call 69f2d9 461->468 477 6b097d-6b0983 466->477 475 6b0781-6b078a GetFileType 467->475 476 6b0716-6b071f 467->476 468->466 481 6b078c-6b07bd GetLastError call 69f2a3 CloseHandle 475->481 482 6b07d3-6b07d6 475->482 479 6b0721-6b0725 476->479 480 6b0756-6b077c GetLastError call 69f2a3 476->480 479->480 486 6b0727-6b0754 call 6b039a 479->486 480->466 481->466 496 6b07c3-6b07ce call 69f2d9 481->496 484 6b07d8-6b07dd 482->484 485 6b07df-6b07e5 482->485 489 6b07e9-6b0837 call 6a516a 484->489 485->489 490 6b07e7 485->490 486->475 486->480 499 6b0839-6b0845 call 6b05ab 489->499 500 6b0847-6b086b call 6b014d 489->500 490->489 496->466 499->500 506 6b086f-6b0879 call 6a86ae 499->506 507 6b087e-6b08c1 500->507 508 6b086d 500->508 506->477 509 6b08c3-6b08c7 507->509 510 6b08e2-6b08f0 507->510 508->506 509->510 512 6b08c9-6b08dd 509->512 513 6b097b 510->513 514 6b08f6-6b08fa 510->514 512->510 513->477 514->513 516 6b08fc-6b092f CloseHandle call 6b039a 514->516 519 6b0963-6b0977 516->519 520 6b0931-6b095d GetLastError call 69f2a3 call 6a5333 516->520 519->513 520->519
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006B039A: CreateFileW.KERNEL32(00000000,00000000,?,006B0704,?,?,00000000,?,006B0704,00000000,0000000C), ref: 006B03B7
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006B076F
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 006B0776
                                                                                                                                                                                                                                                                                                                                                                                • GetFileType.KERNEL32(00000000), ref: 006B0782
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006B078C
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 006B0795
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 006B07B5
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 006B08FF
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006B0931
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 006B0938
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                                                                                                                                                                • String ID: H
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f50148262f7b788279c75854cf5b2d6960841e94f13d83ca7d9fa040195d1562
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 989017e28c660199752c160f2dee3dadd58536f147512033f249d9d436477836
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f50148262f7b788279c75854cf5b2d6960841e94f13d83ca7d9fa040195d1562
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15A13772A101048FEF19EF68D851BEE7FA2AB06320F14416EF811DB392DB359D52CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 0067344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00741418,?,00672E7F,?,?,?,00000000), ref: 00673A78
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00673379
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0067356A
                                                                                                                                                                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006B318D
                                                                                                                                                                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006B31CE
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 006B3210
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006B3277
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006B3286
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 98802146-2727554177
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ee131db9ba472a0ca64481f3c21a5430896c42eff593a72b8c31c3451cf4ddfb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fb31efc19cf1c46f90c08fdf9521502157992ecd0cfcdf9ce527894c4ae45ba8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee131db9ba472a0ca64481f3c21a5430896c42eff593a72b8c31c3451cf4ddfb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F71D7B15043009EC354DF65DC428ABBBF9FF86740F80852EF545832B1EB389A59CB6A
                                                                                                                                                                                                                                                                                                                                                                                Function 00672B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00672B8E
                                                                                                                                                                                                                                                                                                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00672B9D
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(00000063), ref: 00672BB3
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(000000A4), ref: 00672BC5
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(000000A2), ref: 00672BD7
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00672BEF
                                                                                                                                                                                                                                                                                                                                                                                • RegisterClassExW.USER32(?), ref: 00672C40
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00672CD4: GetSysColorBrush.USER32(0000000F), ref: 00672D07
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00672CD4: RegisterClassExW.USER32(00000030), ref: 00672D31
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00672CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00672D42
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00672CD4: InitCommonControlsEx.COMCTL32(?), ref: 00672D5F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00672CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00672D6F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00672CD4: LoadIconW.USER32(000000A9), ref: 00672D85
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00672CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00672D94
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: #$0$AutoIt v3
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 423443420-4155596026
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eeed44c612e88440173b995acd4f1735804f1dcc1048018ef4743ea3e574ca23
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7df356b97d1aa7d96706c668f4a41f56febc562ea5a471db30068d855e4ba59f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eeed44c612e88440173b995acd4f1735804f1dcc1048018ef4743ea3e574ca23
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E214C78E40314ABDB11AFA5EC55A997FB4FB09B50F40C11BF500A66A0D7B90580CF98
                                                                                                                                                                                                                                                                                                                                                                                Function 0067B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 0067BB4E
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: p#t$p#t$p#t$p#t$p%t$p%t$x#t$x#t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-3434696796
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c9aa44c368586918cc171dfbc68edbd8ba61f09f8717b5b3c895d30c73295076
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f338dab1bd5f955339947418ed250103337b29eba5e4daf0dca9c62d22a67341
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9aa44c368586918cc171dfbc68edbd8ba61f09f8717b5b3c895d30c73295076
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 72329B34A00209DFEB14DF54C894FBAB7BAEF45304F14C05AE919AB352D778AE42CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 00673170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 805 673170-673185 806 673187-67318a 805->806 807 6731e5-6731e7 805->807 809 67318c-673193 806->809 810 6731eb 806->810 807->806 808 6731e9 807->808 811 6731d0-6731d8 DefWindowProcW 808->811 814 673265-67326d PostQuitMessage 809->814 815 673199-67319e 809->815 812 6b2dfb-6b2e23 call 6718e2 call 68e499 810->812 813 6731f1-6731f6 810->813 821 6731de-6731e4 811->821 851 6b2e28-6b2e2f 812->851 816 67321d-673244 SetTimer RegisterWindowMessageW 813->816 817 6731f8-6731fb 813->817 822 673219-67321b 814->822 819 6731a4-6731a8 815->819 820 6b2e7c-6b2e90 call 6dbf30 815->820 816->822 826 673246-673251 CreatePopupMenu 816->826 823 673201-67320f KillTimer call 6730f2 817->823 824 6b2d9c-6b2d9f 817->824 827 6b2e68-6b2e72 call 6dc161 819->827 828 6731ae-6731b3 819->828 820->822 846 6b2e96 820->846 822->821 841 673214 call 673c50 823->841 830 6b2da1-6b2da5 824->830 831 6b2dd7-6b2df6 MoveWindow 824->831 826->822 842 6b2e77 827->842 835 6b2e4d-6b2e54 828->835 836 6731b9-6731be 828->836 838 6b2da7-6b2daa 830->838 839 6b2dc6-6b2dd2 SetFocus 830->839 831->822 835->811 840 6b2e5a-6b2e63 call 6d0ad7 835->840 844 6731c4-6731ca 836->844 845 673253-673263 call 67326f 836->845 838->844 847 6b2db0-6b2dc1 call 6718e2 838->847 839->822 840->811 841->822 842->822 844->811 844->851 845->822 846->811 847->822 851->811 855 6b2e35-6b2e48 call 6730f2 call 673837 851->855 855->811
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0067316A,?,?), ref: 006731D8
                                                                                                                                                                                                                                                                                                                                                                                • KillTimer.USER32(?,00000001,?,?,?,?,?,0067316A,?,?), ref: 00673204
                                                                                                                                                                                                                                                                                                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00673227
                                                                                                                                                                                                                                                                                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0067316A,?,?), ref: 00673232
                                                                                                                                                                                                                                                                                                                                                                                • CreatePopupMenu.USER32 ref: 00673246
                                                                                                                                                                                                                                                                                                                                                                                • PostQuitMessage.USER32(00000000), ref: 00673267
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                                                                                                                                                                                                                                • String ID: TaskbarCreated
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 129472671-2362178303
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f9cd330203db420aaff7e4a79456c91ea2f557f63b3c5cd320f12b6acd398f8e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8ebb1e45721b707ecfeead1796deda140d09d3abc90b2ddb02a357ca9d79e904
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9cd330203db420aaff7e4a79456c91ea2f557f63b3c5cd320f12b6acd398f8e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82416D35250224E7DB152B388C197F9375BE706340F94C22AF519853A2CB799B81A76A
                                                                                                                                                                                                                                                                                                                                                                                Function 0067DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: D%t$D%t$D%t$D%t$D%tD%t$Variable must be of type 'Object'.
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-3475053870
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1bbae59d9d5eec0a24238054effeec3c7c98ef864ffe4577c1416d163200410c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: caa8cf3de5ae5550bffa20c7e22428306027b99801246a551968ac73858e262f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bbae59d9d5eec0a24238054effeec3c7c98ef864ffe4577c1416d163200410c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 15C28D75A00214CFCB24DF58C881AADB7B2FF09310F24C5A9E919AB391D376ED46CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 0067EC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 0067FE66
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: D%t$D%t$D%t$D%t$D%tD%t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-302452260
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2f710cc086279f089aa38d1fc5a5120d10bdc2679702d7a96b9cf034074bc7d5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f97b4b6ef2b7579eaba2c8c3d0a74375a72c68d2427c2da9615f823c35d6a262
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f710cc086279f089aa38d1fc5a5120d10bdc2679702d7a96b9cf034074bc7d5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12B29B74608340CFDB64CF18C490A6AB7E2BF99310F24896DF8998B352D775ED46CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 00671410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 1814 671410-671449 1815 6b24b8-6b24b9 DestroyWindow 1814->1815 1816 67144f-671465 mciSendStringW 1814->1816 1820 6b24c4-6b24d1 1815->1820 1817 6716c6-6716d3 1816->1817 1818 67146b-671473 1816->1818 1821 6716d5-6716f0 UnregisterHotKey 1817->1821 1822 6716f8-6716ff 1817->1822 1819 671479-671488 call 67182e 1818->1819 1818->1820 1835 6b250e-6b251a 1819->1835 1836 67148e-671496 1819->1836 1826 6b24d3-6b24d6 1820->1826 1827 6b2500-6b2507 1820->1827 1821->1822 1824 6716f2-6716f3 call 6710d0 1821->1824 1822->1818 1825 671705 1822->1825 1824->1822 1825->1817 1828 6b24d8-6b24e0 call 676246 1826->1828 1829 6b24e2-6b24e5 FindClose 1826->1829 1827->1820 1832 6b2509 1827->1832 1834 6b24eb-6b24f8 1828->1834 1829->1834 1832->1835 1834->1827 1838 6b24fa-6b24fb call 6e32b1 1834->1838 1841 6b251c-6b251e FreeLibrary 1835->1841 1842 6b2524-6b252b 1835->1842 1839 6b2532-6b253f 1836->1839 1840 67149c-6714c1 call 67cfa0 1836->1840 1838->1827 1843 6b2541-6b255e VirtualFree 1839->1843 1844 6b2566-6b256d 1839->1844 1852 6714c3 1840->1852 1853 6714f8-671503 CoUninitialize 1840->1853 1841->1842 1842->1835 1847 6b252d 1842->1847 1843->1844 1848 6b2560-6b2561 call 6e3317 1843->1848 1844->1839 1849 6b256f 1844->1849 1847->1839 1848->1844 1854 6b2574-6b2578 1849->1854 1855 6714c6-6714f6 call 671a05 call 6719ae 1852->1855 1853->1854 1856 671509-67150e 1853->1856 1854->1856 1859 6b257e-6b2584 1854->1859 1855->1853 1857 6b2589-6b2596 call 6e32eb 1856->1857 1858 671514-67151e 1856->1858 1872 6b2598 1857->1872 1861 671707-671714 call 68f80e 1858->1861 1862 671524-6715a5 call 67988f call 671944 call 6717d5 call 68fe14 call 67177c call 67988f call 67cfa0 call 6717fe call 68fe14 1858->1862 1859->1856 1861->1862 1875 67171a 1861->1875 1877 6b259d-6b25bf call 68fdcd 1862->1877 1903 6715ab-6715cf call 68fe14 1862->1903 1872->1877 1875->1861 1882 6b25c1 1877->1882 1885 6b25c6-6b25e8 call 68fdcd 1882->1885 1891 6b25ea 1885->1891 1894 6b25ef-6b2611 call 68fdcd 1891->1894 1901 6b2613 1894->1901 1904 6b2618-6b2625 call 6d64d4 1901->1904 1903->1885 1910 6715d5-6715f9 call 68fe14 1903->1910 1909 6b2627 1904->1909 1912 6b262c-6b2639 call 68ac64 1909->1912 1910->1894 1915 6715ff-671619 call 68fe14 1910->1915 1918 6b263b 1912->1918 1915->1904 1920 67161f-671643 call 6717d5 call 68fe14 1915->1920 1921 6b2640-6b264d call 6e3245 1918->1921 1920->1912 1929 671649-671651 1920->1929 1928 6b264f 1921->1928 1931 6b2654-6b2661 call 6e32cc 1928->1931 1929->1921 1930 671657-671675 call 67988f call 67190a 1929->1930 1930->1931 1940 67167b-671689 1930->1940 1936 6b2663 1931->1936 1939 6b2668-6b2675 call 6e32cc 1936->1939 1945 6b2677 1939->1945 1940->1939 1942 67168f-6716c5 call 67988f * 3 call 671876 1940->1942 1945->1945
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00671459
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.COMBASE ref: 006714F8
                                                                                                                                                                                                                                                                                                                                                                                • UnregisterHotKey.USER32(?), ref: 006716DD
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 006B24B9
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 006B251E
                                                                                                                                                                                                                                                                                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006B254B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: close all
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 469580280-3243417748
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0d3170ce7fe822b84745a1cfbebbc0f0201e068d48c8e9323b89eeba49b4ab9a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 927b685f9bbf8cfe650c89af0845d1b7cbd8d0ad1a0f7164b3d11022540d3d52
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0d3170ce7fe822b84745a1cfbebbc0f0201e068d48c8e9323b89eeba49b4ab9a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62D18E71701212CFDB29EF18C4A9AA9F7E2BF05700F1482AEE54A6B351DB30AD52CF55
                                                                                                                                                                                                                                                                                                                                                                                Function 006DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 1953 6dde27-6dde4a WSAStartup 1954 6ddee6-6ddef2 call 694983 1953->1954 1955 6dde50-6dde71 gethostname gethostbyname 1953->1955 1963 6ddef3-6ddef6 1954->1963 1955->1954 1956 6dde73-6dde7a 1955->1956 1958 6dde7c-6dde81 1956->1958 1959 6dde83-6dde85 1956->1959 1958->1958 1958->1959 1961 6dde87-6dde94 call 694983 1959->1961 1962 6dde96-6ddedb call 690e20 inet_ntoa call 69d5f0 call 6debd1 call 694983 call 68fe14 1959->1962 1968 6ddede-6ddee4 WSACleanup 1961->1968 1962->1968 1968->1963
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0.0.0.0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 642191829-3771769585
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 74ba4c85cd9a7eecc83a8bc081dd2d141f6e497b88a4b42432033d7807a2cb9f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0c3aa70b762fc6c38f43c21fab94aa46a1ab6fbb5100208900ccf749663aa930
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 74ba4c85cd9a7eecc83a8bc081dd2d141f6e497b88a4b42432033d7807a2cb9f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0711E471904104BBDB61BB64DC0AEEE77AEDB50711F00426AF4059A291EF758A828B64
                                                                                                                                                                                                                                                                                                                                                                                Function 00672C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 1987 672c63-672cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00672C91
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00672CB2
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00671CAD,?), ref: 00672CC6
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00671CAD,?), ref: 00672CCF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$CreateShow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: AutoIt v3$edit
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1584632944-3779509399
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3138124e542219b13b619dcd6c4875a3a3be8c39cfb9a55edc4fb84ea656af7d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 74c89562dc90a907d3f6e7499ff68f5e0b45982fb14a1c6e3ddba9608e105052
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3138124e542219b13b619dcd6c4875a3a3be8c39cfb9a55edc4fb84ea656af7d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09F0DA79540290BAEB322B17AC48E772EBDD7C7F50B41815AF900A25A0C7691894DAB8
                                                                                                                                                                                                                                                                                                                                                                                Function 006CD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 2102 6cd3a0-6cd3a9 2103 6cd3ab-6cd3b7 LoadLibraryA 2102->2103 2104 6cd376-6cd37b 2102->2104 2108 6cd3c9 2103->2108 2109 6cd3b9-6cd3c7 GetProcAddress 2103->2109 2105 6cd292-6cd2a8 2104->2105 2111 6cd2a9 2105->2111 2110 6cd3ce-6cd3de 2108->2110 2109->2108 2109->2110 2110->2105 2113 6cd3e4-6cd3eb FreeLibrary 2110->2113 2111->2111 2113->2105
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32 ref: 006CD3AD
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006CD3BF
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 006CD3E5
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 145871493-2590602151
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8950039e35c9f16d28b87ac302ef9f5229221ac5049a0e669f68d4287c855011
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f6fc4af9b3735fdc9e7210f7232293c5cb90952285cf3d4d2df28ecd9c4f11d1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8950039e35c9f16d28b87ac302ef9f5229221ac5049a0e669f68d4287c855011
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ECF020B0801620DBD7362B108C18FBAB213EF12701F64837CE90AE1290DB28CE418692
                                                                                                                                                                                                                                                                                                                                                                                Function 00673B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                control_flow_graph 2424 673b1c-673b27 2425 673b99-673b9b 2424->2425 2426 673b29-673b2e 2424->2426 2428 673b8c-673b8f 2425->2428 2426->2425 2427 673b30-673b48 RegOpenKeyExW 2426->2427 2427->2425 2429 673b4a-673b69 RegQueryValueExW 2427->2429 2430 673b80-673b8b RegCloseKey 2429->2430 2431 673b6b-673b76 2429->2431 2430->2428 2432 673b90-673b97 2431->2432 2433 673b78-673b7a 2431->2433 2434 673b7e 2432->2434 2433->2434 2434->2430
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00673B0F,SwapMouseButtons,00000004,?), ref: 00673B40
                                                                                                                                                                                                                                                                                                                                                                                • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00673B0F,SwapMouseButtons,00000004,?), ref: 00673B61
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00673B0F,SwapMouseButtons,00000004,?), ref: 00673B83
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Control Panel\Mouse
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3677997916-824357125
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4e6e540956636cb99ac5f71540a9b5987a977727d209660e6d2ba9b37d36ab44
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 63cc692715799ec3a825e3731a91e814e915e9b7117598a3362f87abc2a5678a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e6e540956636cb99ac5f71540a9b5987a977727d209660e6d2ba9b37d36ab44
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B0112AB5510218FFDB218FA5DC44AEEB7BDEF24B44B10855AA809D7210E6319E40A7A4
                                                                                                                                                                                                                                                                                                                                                                                Function 00673923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006B33A2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00673A04
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Line:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2289894680-1585850449
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6b63d9b0328cd2cbf94a84ae6b7f9fb000c59060334b020c549552fb127e3b7c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 83312c4221b95f5740342c8d133f538cc439f169ad144c62c2efdf06ec497d22
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b63d9b0328cd2cbf94a84ae6b7f9fb000c59060334b020c549552fb127e3b7c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B631C571508320AEC761EF20DC45BEBB7D9AB41710F00861EF59D83291EF749689C7CA
                                                                                                                                                                                                                                                                                                                                                                                Function 00672DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetOpenFileNameW.COMDLG32(?), ref: 006B2C8C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00673A97,?,?,00672E7F,?,?,?,00000000), ref: 00673AC2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00672DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00672DC4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: X$`es
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 779396738-2017476410
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7f415214d1fdfe20ddb54de6ef1af4044109497a86244d0dd15b78539aa09db5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 22641b3b94c096829976899d882e4851b7d74dafa1fb4b59e36962290dc510ba
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f415214d1fdfe20ddb54de6ef1af4044109497a86244d0dd15b78539aa09db5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4219671A00258ABDB41DF94C8557EE7BFDAF49304F00C05DE509A7241DBB85A898B65
                                                                                                                                                                                                                                                                                                                                                                                Function 0068FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00690668
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006932A4: RaiseException.KERNEL32(?,?,?,0069068A,?,00741444,?,?,?,?,?,?,0069068A,00671129,00738738,00671129), ref: 00693304
                                                                                                                                                                                                                                                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00690685
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Unknown exception
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3476068407-410509341
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4e7647e8e13965fbf1adcc5281628125e9508944d719f582f2e4ea6ffa0d03ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: eb83d81bafdd1d4a15241a2dda63b58229d6142cb350c08d601f427f45cfe890
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e7647e8e13965fbf1adcc5281628125e9508944d719f582f2e4ea6ffa0d03ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 42F04F34900209ABDF40B7A4D846C9E776E5E40350B604639B924D6ED2EF71EB66C685
                                                                                                                                                                                                                                                                                                                                                                                Function 006710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00671BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00671BF4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00671BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00671BFC
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00671BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00671C07
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00671BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00671C12
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00671BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00671C1A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00671BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00671C22
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00671B4A: RegisterWindowMessageW.USER32(00000004,?,006712C4), ref: 00671BA2
                                                                                                                                                                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0067136A
                                                                                                                                                                                                                                                                                                                                                                                • OleInitialize.OLE32 ref: 00671388
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,00000000), ref: 006B24AB
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1986988660-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 418a5bb902c56def179d5bbe8d1b8c1e2966b4119035184b59e09f2f4651a9d2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ded2b8aa272b74e8623566e161bea691a6512e7fec3cf752715b414cf8d52652
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 418a5bb902c56def179d5bbe8d1b8c1e2966b4119035184b59e09f2f4651a9d2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 887199B89112408FC384FF79E845695BAE5AB8A394395C22FD51ACB261EB3C44E0CF5D
                                                                                                                                                                                                                                                                                                                                                                                Function 006DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00673A04
                                                                                                                                                                                                                                                                                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006DC259
                                                                                                                                                                                                                                                                                                                                                                                • KillTimer.USER32(?,00000001,?,?), ref: 006DC261
                                                                                                                                                                                                                                                                                                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006DC270
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3500052701-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2b82241475eafa98fde9b8f44fefaa82244c9e75cc97d594d041ac6538847971
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a4b5d0e74b576f81b2dbcf0d52354b4e6c6fe54a83268a7c65ce660034a5538a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2b82241475eafa98fde9b8f44fefaa82244c9e75cc97d594d041ac6538847971
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE31E370D00348AFEB329F648895BE7BBEDAB02314F00409EE2DA93341C7745A85CB55
                                                                                                                                                                                                                                                                                                                                                                                Function 006A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,?,006A85CC,?,00738CC8,0000000C), ref: 006A8704
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,006A85CC,?,00738CC8,0000000C), ref: 006A870E
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 006A8739
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2583163307-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 51d0aa4760f447e1d1072ccbf1286092fe14ba8e9f465c05b37445c277b3bc82
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b8f48747e1b706b225df81947c9e5eccbe475c019a622d0c0f47537b99e501ea
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51d0aa4760f447e1d1072ccbf1286092fe14ba8e9f465c05b37445c277b3bc82
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6B0148326046202EEAA0B3346845BAE674B4BC3774F39121DE8058B2D2EEA4DC818998
                                                                                                                                                                                                                                                                                                                                                                                Function 0067DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • TranslateMessage.USER32(?), ref: 0067DB7B
                                                                                                                                                                                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 0067DB89
                                                                                                                                                                                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0067DB9F
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 0067DBB1
                                                                                                                                                                                                                                                                                                                                                                                • TranslateAcceleratorW.USER32(?,?,?), ref: 006C1CC9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3288985973-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1959d3d4473a5c9a50bafa81b215815a8c95c8c40f8cb6589389672888aacbec
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ae2f2fddd2258be9dffaa327468a27827b1aa5a6bf7d2f9b737de702dbde35dc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1959d3d4473a5c9a50bafa81b215815a8c95c8c40f8cb6589389672888aacbec
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1EF05E30644340DBE730DB608C49FEA73BEEF46710F508B19F61A971C0DB78A4888B19
                                                                                                                                                                                                                                                                                                                                                                                Function 00681310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 006817F6
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CALL
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-4196123274
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a5a7ffb8a32c992e53b76aaab5cd4c828c53536bfc386d0cb9dc15d0d99cc377
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4012f82fe222443142145800400a607e27eb518336bb1fca6f994464abb7b76c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5a7ffb8a32c992e53b76aaab5cd4c828c53536bfc386d0cb9dc15d0d99cc377
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B229CB06082419FC714EF14C484B6ABBF6FF86314F248A6DF49A8B361D771E942CB56
                                                                                                                                                                                                                                                                                                                                                                                Function 006801E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 50e160fafcd2e54fbc96435f451afbe8cacfb79eb4adf3075747dde015007ec4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e8648fbb997001993263d0e1e2024ffd8670982c679055b86d64d12411be75c0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50e160fafcd2e54fbc96435f451afbe8cacfb79eb4adf3075747dde015007ec4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3532CE30A00605DFDB64EF54CC95FBEB3A2EF04310F148A6DE9169B3A1D771AA84CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 006CD363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetComputerNameW.KERNEL32(?,?), ref: 006CD375
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ComputerName
                                                                                                                                                                                                                                                                                                                                                                                • String ID: X64
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3545744682-893830106
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 40b32acd5430772f58b29b689ce7ade873e4d1778ec06ff6a19ea34edafb2a46
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f756359536f3856e536521d7eba97abb5e66330f3db9f8a3452991ec15dd9baf
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40b32acd5430772f58b29b689ce7ade873e4d1778ec06ff6a19ea34edafb2a46
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9ED0C9B5815118EACB94DB40DC88EEAF37DFB04301F608265F106E2040DB38964A9B21
                                                                                                                                                                                                                                                                                                                                                                                Function 00673837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00673908
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconNotifyShell_
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1144537725-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e4f9fc0775f6f7b14eb8f1b57dfca7d7471edb91c3fc3c40da03d6da52049bbc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e4349a7a8cc215558269212fbd5e34458d51b06071fbe33078e84f04bfc7b0d1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4f9fc0775f6f7b14eb8f1b57dfca7d7471edb91c3fc3c40da03d6da52049bbc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0318EB0A043119FD761EF24D8847D7BBE9FB49708F00492EF69983340E775AA84DB56
                                                                                                                                                                                                                                                                                                                                                                                Function 0068F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • timeGetTime.WINMM ref: 0068F661
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0067D730: GetInputState.USER32 ref: 0067D807
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 006CF2DE
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InputSleepStateTimetime
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4149333218-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f51d3710f0228d7e3cd9c595ca8e4135bc2fd4625ed270c0a0df4244c1a2126c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3fa48b08f024357767692b7162638054f716925011c36fbcad5f9d2502a162ad
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f51d3710f0228d7e3cd9c595ca8e4135bc2fd4625ed270c0a0df4244c1a2126c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 98F08C312402059FD354EF69D44AB6AB7EAEF45761F00822DE85DC72A0EF70A800CB99
                                                                                                                                                                                                                                                                                                                                                                                Function 00674ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00674E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00674EDD,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E9C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00674E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00674EAE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00674E90: FreeLibrary.KERNEL32(00000000,?,?,00674EDD,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674EC0
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674EFD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00674E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006B3CDE,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E62
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00674E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00674E74
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00674E59: FreeLibrary.KERNEL32(00000000,?,?,006B3CDE,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E87
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$Load$AddressFreeProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2632591731-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 066aedc963a80dfb07d249d38190a02c42b8314a0583937d246b5d774ff451c8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bc8e55a20edfd5cc7418905b90edbb39726f0984e7c78f31f30348d6131bf43d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 066aedc963a80dfb07d249d38190a02c42b8314a0583937d246b5d774ff451c8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25110132600205AACB10EB70DC0ABAD77A6AF80710F20C42DF04AA62C1EFB59A459B58
                                                                                                                                                                                                                                                                                                                                                                                Function 006A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: __wsopen_s
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3347428461-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 18c7c5e38070e748bf528c94747af5ed9f7ac61b695de48ffad83a00653557d1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 667f006820152c08445e78741083e292dd8cec298d9859e3f09620ec66ff1222
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18c7c5e38070e748bf528c94747af5ed9f7ac61b695de48ffad83a00653557d1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD11187590420AAFCB05EF58E9459DA7BF9EF49314F104099F808AB312DB31DE11CBA9
                                                                                                                                                                                                                                                                                                                                                                                Function 006A5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A4C7D: RtlAllocateHeap.NTDLL(00000008,00671129,00000000,?,006A2E29,00000001,00000364,?,?,?,0069F2DE,006A3863,00741444,?,0068FDF5,?), ref: 006A4CBE
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A506C
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AllocateHeap_free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 614378929-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d82d6bc25fdf770cbd58f2d3efcc4b0b2109dabe1f07b165c68829e7b9f0d8ad
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43012B722047055BE321DE559C41A9AFBEAFB8A370F25051DE18583280EA706C05CA74
                                                                                                                                                                                                                                                                                                                                                                                Function 0069E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e576880390945a8185c69933fc946315a5c6ad1811dc10ebe565eac1cba42370
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1FF0F932510E109ADE717A698C05B96339F9FA3331F10072DF420D7AD2DF75E8028AAD
                                                                                                                                                                                                                                                                                                                                                                                Function 006A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000008,00671129,00000000,?,006A2E29,00000001,00000364,?,?,?,0069F2DE,006A3863,00741444,?,0068FDF5,?), ref: 006A4CBE
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e26f8ca24a124d6a16bd6d9459f61ce3a523045fad9693f7e81ac6e3b62023b9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 37d2a86d78112470aba23c9ed12d2787493bbe291d8656aba9a2cc6c8458b5ed
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e26f8ca24a124d6a16bd6d9459f61ce3a523045fad9693f7e81ac6e3b62023b9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65F0BB3150612466DB217F619C05F96379BAFC3770B154215B81F96681CEF0DC024A94
                                                                                                                                                                                                                                                                                                                                                                                Function 006A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: dce766c804e5a610ce89067f6f54c050f57fa4878af91cfa172534c4da84492b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 34cf1e90ee7d562e0188b1f15bf0fb35628ca503a774a351fb680207470bdc78
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dce766c804e5a610ce89067f6f54c050f57fa4878af91cfa172534c4da84492b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CAE0E53110123496DA213B669C05FDA375FAF437B0F054125BC0592B80DF18DE028BE4
                                                                                                                                                                                                                                                                                                                                                                                Function 00674F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674F6D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 902acb239060c4ff7c26cc52e0eba61e9715dab2d82e0b16f9529d5562951a5d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 018d4f5e04e57ee8bf7f05736d1874f467be10008c7b4c15726ef8930b6ff7e4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 902acb239060c4ff7c26cc52e0eba61e9715dab2d82e0b16f9529d5562951a5d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30F03971105752CFDB349F64D498862FBE6EF55329320CA7EE1EE82621CB3A9884DF10
                                                                                                                                                                                                                                                                                                                                                                                Function 00702A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • IsWindow.USER32(00000000), ref: 00702A66
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2353593579-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4291adc1cc213187842ec9dbdda5ff96c3270c2b519398b5e9b3218e6de22739
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 95093b0c4e819a62f4d86fb9e0ec0d800c33d9f420e5e6cca553ff5ef9f53c26
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4291adc1cc213187842ec9dbdda5ff96c3270c2b519398b5e9b3218e6de22739
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D1E0DF72740216EAC760EB30DC848FA739CEB10390B10823ABC1BC6241EF38898682A4
                                                                                                                                                                                                                                                                                                                                                                                Function 006730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • Shell_NotifyIconW.SHELL32(00000002,?), ref: 0067314E
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconNotifyShell_
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1144537725-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ed0103d5d4a90a59fd182daf1e6de1ad87a8ea9d5f9dfde2cbef7cfbcc123bc0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c3552c840d8b79fe0adec6342fb9a47f29e6b9f4e1989302d58dbb4179f7b276
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ed0103d5d4a90a59fd182daf1e6de1ad87a8ea9d5f9dfde2cbef7cfbcc123bc0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6CF0A7709003149FEB62AF24DC457D57BFCA701708F0041EAA14897281DB7447C8CF45
                                                                                                                                                                                                                                                                                                                                                                                Function 00672DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00672DC4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LongNamePath_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 541455249-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 13ae075d180392f66e479eb7ab4dd4d70e0fbc3501e6ef098c2f01a201e32e7e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fac7d9ea4ca000afba2744d52f99874480a8ab06c08290aec0d66df7c93c68c3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13ae075d180392f66e479eb7ab4dd4d70e0fbc3501e6ef098c2f01a201e32e7e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CAE0CD726001245BC7119358DC05FEA77DDDFC9790F044175FD09D7249D964ADC0C654
                                                                                                                                                                                                                                                                                                                                                                                Function 00672B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00673908
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0067D730: GetInputState.USER32 ref: 0067D807
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00672B6B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0067314E
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3667716007-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 02eeceaf74683cad6ff56d21147e90dd8a81d36e737c54be3364c4d33ea4384a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 942da974f0d43b4ce66ac9924867db4052046bd4cbca2f0101a584292e8aea8b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 02eeceaf74683cad6ff56d21147e90dd8a81d36e737c54be3364c4d33ea4384a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 57E0262130025803CA48BB3498124ADA75B8FD2351F40C93EF04A432A3CF284585421A
                                                                                                                                                                                                                                                                                                                                                                                Function 006DDF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 006DDF40
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FolderPath_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2987691875-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0639636ef266e268bf5d8ee1e549456707cad49cd4fc2f9ae78140783142f1d0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8dd917389e738f1debe76fb47aae447b947ff50422fc81405426a0a1cb92a06e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0639636ef266e268bf5d8ee1e549456707cad49cd4fc2f9ae78140783142f1d0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8DD05EA2A002286BDFA0A774DC0DDF73AACD740210F0046A0786DD3152E924DE8486B0
                                                                                                                                                                                                                                                                                                                                                                                Function 006B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateFileW.KERNEL32(00000000,00000000,?,006B0704,?,?,00000000,?,006B0704,00000000,0000000C), ref: 006B03B7
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateFile
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4cb400460d2b9a1050a37e9ace85d8646f4242149c013e930964876543c7a25b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 52fddc863a6ef67570f5ece4d21d421bfe67416b24c62a431f372df3433b19ac
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4cb400460d2b9a1050a37e9ace85d8646f4242149c013e930964876543c7a25b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3D06C3204010DFBDF028F84DD06EDA3BAAFB48714F018100BE1856020C736E821AB94
                                                                                                                                                                                                                                                                                                                                                                                Function 00671CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00671CBC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InfoParametersSystem
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3098949447-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2df282f278294eae14db9e2f2a01f1a5a23e7ebe9abbe4da7f7e68e885471b5c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9bdd244d0dfb8e2508d5d561569e8caf98d718ec7861b09e325e5d9104724437
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2df282f278294eae14db9e2f2a01f1a5a23e7ebe9abbe4da7f7e68e885471b5c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACC09B3D280304DFF2155B80BC5AF107754A349F00F54C102F609555E3C7A51471D658

                                                                                                                                                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                                                                                                                                                Function 00709576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0070961A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0070965B
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0070969F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007096C9
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 007096F2
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(00000011), ref: 0070978B
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(00000009), ref: 00709798
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007097AE
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyState.USER32(00000010), ref: 007097B8
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007097E9
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00709810
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001030,?,00707E95), ref: 00709918
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0070992E
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00709941
                                                                                                                                                                                                                                                                                                                                                                                • SetCapture.USER32(?), ref: 0070994A
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 007099AF
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007099BC
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007099D6
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseCapture.USER32 ref: 007099E1
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00709A19
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 00709A26
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00709A80
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00709AAE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00709AEB
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00709B1A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00709B3B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00709B4A
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00709B68
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 00709B75
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 00709B93
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00709BFA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00709C2B
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 00709C84
                                                                                                                                                                                                                                                                                                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00709CB4
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00709CDE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32 ref: 00709D01
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 00709D4E
                                                                                                                                                                                                                                                                                                                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00709D82
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689944: GetWindowLongW.USER32(?,000000EB), ref: 00689952
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00709E05
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @GUI_DRAGID$@U=u$F$p#t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3429851547-641531979
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ba287b2789b1bb368a1b11bcc457295a5eedc1a5954247d4d6b456e3b5020cda
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f73439ee78c5c09bfa6f29cfaa4a4bea9eed7d8e61574fa83dfb0c8a019218b9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba287b2789b1bb368a1b11bcc457295a5eedc1a5954247d4d6b456e3b5020cda
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41428B35208240EFDB25DF24CC44AAABBE5FF49310F144B59F799872E2DB3AA850CB55
                                                                                                                                                                                                                                                                                                                                                                                Function 00704873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007048F3
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00704908
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00704927
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0070494B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0070495C
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0070497B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007049AE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007049D4
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00704A0F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00704A56
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00704A7E
                                                                                                                                                                                                                                                                                                                                                                                • IsMenu.USER32(?), ref: 00704A97
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00704AF2
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00704B20
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00704B94
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00704BE3
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00704C82
                                                                                                                                                                                                                                                                                                                                                                                • wsprintfW.USER32 ref: 00704CAE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00704CC9
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 00704CF1
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00704D13
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00704D33
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 00704D5A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %d/%02d/%02d$@U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4054740463-2764005415
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d2c6d7c30f1d7fce2a6ac997daf00c5164a9b9aaacce0b25da5bbc3b3dcc2ef9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: acc8a79115f567b7d5dada888a52d118fec3c9e5280d4376cd32e1a22de2aa72
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2c6d7c30f1d7fce2a6ac997daf00c5164a9b9aaacce0b25da5bbc3b3dcc2ef9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8812EEB1600205EBEB259F24CC49FAE7BF8FB85310F148369F615DA2E1DB78A941CB54
                                                                                                                                                                                                                                                                                                                                                                                Function 0068F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0068F998
                                                                                                                                                                                                                                                                                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006CF474
                                                                                                                                                                                                                                                                                                                                                                                • IsIconic.USER32(00000000), ref: 006CF47D
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000000,00000009), ref: 006CF48A
                                                                                                                                                                                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 006CF494
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006CF4AA
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 006CF4B1
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006CF4BD
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 006CF4CE
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 006CF4D6
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 006CF4DE
                                                                                                                                                                                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 006CF4E1
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CF4F6
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 006CF501
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CF50B
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 006CF510
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CF519
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 006CF51E
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CF528
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 006CF52D
                                                                                                                                                                                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 006CF530
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,000000FF,00000000), ref: 006CF557
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4125248594-2988720461
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cef900857a7f2b279a305b14f7dfc7c6ee1a8550b4d087e283c04e37c0d5ae51
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2dc0414f0b66de784ba09ca6eb3d06c1d99f535678babd13276d6ba2b1a152ca
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cef900857a7f2b279a305b14f7dfc7c6ee1a8550b4d087e283c04e37c0d5ae51
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7731A671A40218BFEB216BB54C4AFBF7E6EEB44B50F104269F700E61D1CBB55D10AA64
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006D170D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006D173A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D16C3: GetLastError.KERNEL32 ref: 006D174A
                                                                                                                                                                                                                                                                                                                                                                                • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 006D1286
                                                                                                                                                                                                                                                                                                                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006D12A8
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 006D12B9
                                                                                                                                                                                                                                                                                                                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006D12D1
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessWindowStation.USER32 ref: 006D12EA
                                                                                                                                                                                                                                                                                                                                                                                • SetProcessWindowStation.USER32(00000000), ref: 006D12F4
                                                                                                                                                                                                                                                                                                                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006D1310
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006D11FC), ref: 006D10D4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10BF: CloseHandle.KERNEL32(?,?,006D11FC), ref: 006D10E9
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID: $default$winsta0$Zs
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 22674027-986068762
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 28602fca90098063477a437e3b2211388e4e974636377be2237c623a6d1abfd4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f219f42f4d34c3a8b39c8133f37a612f2dfa35a7bffe274c16666085f9821345
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28602fca90098063477a437e3b2211388e4e974636377be2237c623a6d1abfd4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E817171D00209BBDF219FA4DC49FEE7BBAEF09704F14821AF910AA390DBB58945CB55
                                                                                                                                                                                                                                                                                                                                                                                Function 006D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006D1114
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1120
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D112F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1136
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006D114D
                                                                                                                                                                                                                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006D0BCC
                                                                                                                                                                                                                                                                                                                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006D0C00
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 006D0C17
                                                                                                                                                                                                                                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 006D0C51
                                                                                                                                                                                                                                                                                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006D0C6D
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 006D0C84
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 006D0C8C
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 006D0C93
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006D0CB4
                                                                                                                                                                                                                                                                                                                                                                                • CopySid.ADVAPI32(00000000), ref: 006D0CBB
                                                                                                                                                                                                                                                                                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006D0CEA
                                                                                                                                                                                                                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006D0D0C
                                                                                                                                                                                                                                                                                                                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006D0D1E
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0D45
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D0D4C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0D55
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D0D5C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0D65
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D0D6C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 006D0D78
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D0D7F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1193: GetProcessHeap.KERNEL32(00000008,006D0BB1,?,00000000,?,006D0BB1,?), ref: 006D11A1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,006D0BB1,?), ref: 006D11A8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006D0BB1,?), ref: 006D11B7
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4175595110-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0ab7fe832cd93dc548d1867e6f9bcd8c81369f66bab68225ad1f93d996106a21
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b2ecc0855f7fea8e89ec2fb1f42fa57b029de25a30640d8e6bb27295bff30d4f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0ab7fe832cd93dc548d1867e6f9bcd8c81369f66bab68225ad1f93d996106a21
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9715C71D0020AEFEF11DFA4DC45BEEBBBABF09300F148616E914A7291DB75A905CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 006EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • OpenClipboard.USER32(0070CC08), ref: 006EEB29
                                                                                                                                                                                                                                                                                                                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 006EEB37
                                                                                                                                                                                                                                                                                                                                                                                • GetClipboardData.USER32(0000000D), ref: 006EEB43
                                                                                                                                                                                                                                                                                                                                                                                • CloseClipboard.USER32 ref: 006EEB4F
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 006EEB87
                                                                                                                                                                                                                                                                                                                                                                                • CloseClipboard.USER32 ref: 006EEB91
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 006EEBBC
                                                                                                                                                                                                                                                                                                                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 006EEBC9
                                                                                                                                                                                                                                                                                                                                                                                • GetClipboardData.USER32(00000001), ref: 006EEBD1
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 006EEBE2
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 006EEC22
                                                                                                                                                                                                                                                                                                                                                                                • IsClipboardFormatAvailable.USER32(0000000F), ref: 006EEC38
                                                                                                                                                                                                                                                                                                                                                                                • GetClipboardData.USER32(0000000F), ref: 006EEC44
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 006EEC55
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 006EEC77
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006EEC94
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006EECD2
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 006EECF3
                                                                                                                                                                                                                                                                                                                                                                                • CountClipboardFormats.USER32 ref: 006EED14
                                                                                                                                                                                                                                                                                                                                                                                • CloseClipboard.USER32 ref: 006EED59
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 420908878-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4e828392334873367c1d4b9e7861196ed1fdf1b1f286311f64158f8605f97f30
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6cc427d6ed7f16289f307b35c373bef45b39d6bb25d64db547404e24c9b901ee
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e828392334873367c1d4b9e7861196ed1fdf1b1f286311f64158f8605f97f30
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B61DD34204341DFD311EF21D889F6A77A6AF84714F14861DF45A872A2DF36DD0ACBA6
                                                                                                                                                                                                                                                                                                                                                                                Function 006E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 006E69BE
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006E6A12
                                                                                                                                                                                                                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006E6A4E
                                                                                                                                                                                                                                                                                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006E6A75
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 006E6AB2
                                                                                                                                                                                                                                                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 006E6ADF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3830820486-3289030164
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8f9b26bcd62b35cc50b2f753640a11bd6c1a68c205341568af2d50e305eb9401
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f3a18b76fe98396fd46addc9ce5f8f3f5dd8fcc953bcd0aef9af82756e295b80
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f9b26bcd62b35cc50b2f753640a11bd6c1a68c205341568af2d50e305eb9401
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50D150B1508340AFC754EBA5C882EABB7EDAF98704F04891DF589C7191EB74DA44CB62
                                                                                                                                                                                                                                                                                                                                                                                Function 006E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 006E9663
                                                                                                                                                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 006E96A1
                                                                                                                                                                                                                                                                                                                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 006E96BB
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 006E96D3
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006E96DE
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 006E96FA
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006E974A
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(00736B7C), ref: 006E9768
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 006E9772
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006E977F
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006E978F
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1409584000-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 17bf6a21cc5282a22df4258f80839232f908f148523922722541f8ecbaeee65e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 20c67d96976b2a51269e4b700879c4ae0df5f8c58450c7c828a8de8689165e44
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17bf6a21cc5282a22df4258f80839232f908f148523922722541f8ecbaeee65e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9331F672501359BAEF15AFB5DC08ADE77ADAF09320F108256F805E2191DB34DE44CE24
                                                                                                                                                                                                                                                                                                                                                                                Function 006E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 006E97BE
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 006E9819
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006E9824
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 006E9840
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006E9890
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(00736B7C), ref: 006E98AE
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 006E98B8
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006E98C5
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006E98D5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006DDB00
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2640511053-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 770e4fd63fe0b4178ddcfc7af3dd4b08ca75fef4f521bcaa5b7640e8e1f27638
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 22bd66f457236c5d471d2bb3ea4c4f5a1e2ca489a5f37fdda9f8d23264bc1782
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 770e4fd63fe0b4178ddcfc7af3dd4b08ca75fef4f521bcaa5b7640e8e1f27638
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5531C371501359AAEF21AFB5DC48ADF77AEAF06320F248655E810E22E1DB34DE458F34
                                                                                                                                                                                                                                                                                                                                                                                Function 006DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00673A97,?,?,00672E7F,?,?,?,00000000), ref: 00673AC2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DE199: GetFileAttributesW.KERNEL32(?,006DCF95), ref: 006DE19A
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 006DD122
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 006DD1DD
                                                                                                                                                                                                                                                                                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 006DD1F0
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 006DD20D
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 006DD237
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,006DD21C,?,?), ref: 006DD2B2
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000,?,?,?), ref: 006DD253
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006DD264
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                                                                                                                                                                                                                                                                                • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1946585618-1173974218
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f9c0c9ef69c26b358b3b499f315c6c0ba9107b1bb9b30405532d2207fc1984ba
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e9f529fbbcb7fb5352d1757a68ebdcf21c579e83b4af8d7e12c1cfe4c1b65562
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9c0c9ef69c26b358b3b499f315c6c0ba9107b1bb9b30405532d2207fc1984ba
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12616B31C0110DAACF45FBE0CD929EDB7B6AF55300F20816AE50677292EB316F09DB65
                                                                                                                                                                                                                                                                                                                                                                                Function 006EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1737998785-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 136a5ebdae6fa69646af7d0fa64bc2c21e102aae9d458688fda8cd0cd11fdfba
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cddb172760195b49120c1a2467fe503b62a1a082c5ed0a8eb6b3cb8507732c5e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 136a5ebdae6fa69646af7d0fa64bc2c21e102aae9d458688fda8cd0cd11fdfba
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C41AE35605651DFD321DF16D888B59BBE2AF44328F14C19DE4198B762CB3AEC42CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 006DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006D170D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006D173A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D16C3: GetLastError.KERNEL32 ref: 006D174A
                                                                                                                                                                                                                                                                                                                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 006DE932
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                                                                                                                                                                                                                                • String ID: $ $@$SeShutdownPrivilege
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2234035333-3163812486
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1aca90c1b1e47b4b57c182915b0e0c4f023caee6c1eebb8a295e37c8b27c2b79
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5562bd69912778cf7366de2ab0df999eddd90f450109cb4fb003810c2ef300f6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1aca90c1b1e47b4b57c182915b0e0c4f023caee6c1eebb8a295e37c8b27c2b79
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4012672E11211BBEB6433B49C96BFF725EA714751F144A27F802EE3D2D9A65C4081D8
                                                                                                                                                                                                                                                                                                                                                                                Function 006F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006F1276
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F1283
                                                                                                                                                                                                                                                                                                                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 006F12BA
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F12C5
                                                                                                                                                                                                                                                                                                                                                                                • closesocket.WSOCK32(00000000), ref: 006F12F4
                                                                                                                                                                                                                                                                                                                                                                                • listen.WSOCK32(00000000,00000005), ref: 006F1303
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F130D
                                                                                                                                                                                                                                                                                                                                                                                • closesocket.WSOCK32(00000000), ref: 006F133C
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 540024437-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a6658d01a6af8b077fc057d2a55ab530ca441f8ac4169ff3692543f33035e2a7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3d55cfb0f8244361cff729ddf5695f704b3d066c55ce5bd5e05f3a0915c084f8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a6658d01a6af8b077fc057d2a55ab530ca441f8ac4169ff3692543f33035e2a7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE418E31600104DFD710DF68C488B69BBE6AF86358F18C288E9568F3D6C775ED82CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 006AB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AB9D4
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AB9F8
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ABB7F
                                                                                                                                                                                                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00713700), ref: 006ABB91
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0074121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006ABC09
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00741270,000000FF,?,0000003F,00000000,?), ref: 006ABC36
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ABD4B
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 314583886-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c1a58a6d0d5ddd0a68539bab915800d461c9f2c8d2410d3fe5deed8e8cb58492
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 156c2097ac15e521a1750efc60defde1675357e3b6a9f202508c9ad7d703a1bb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c1a58a6d0d5ddd0a68539bab915800d461c9f2c8d2410d3fe5deed8e8cb58492
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2EC12771A00245AFDB20BF689C41BEA7BAAEF43310F18519EE591D7253EB309E41CF64
                                                                                                                                                                                                                                                                                                                                                                                Function 006DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00673A97,?,?,00672E7F,?,?,?,00000000), ref: 00673AC2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DE199: GetFileAttributesW.KERNEL32(?,006DCF95), ref: 006DE19A
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 006DD420
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 006DD470
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 006DD481
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006DD498
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006DD4A1
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                                                                                                                                                                                                                                                • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2649000838-1173974218
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cb39b012187ff99155685d01939049f6067920b9c86065e0aa3f5c0e3d894c18
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 24791777c7ffc95319ea8e0d775872d117a8ed6c902c85c5392d792c7a2ce394
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cb39b012187ff99155685d01939049f6067920b9c86065e0aa3f5c0e3d894c18
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB31A2314183459BC305FF60C8528AFB7E9BE91314F408E1EF4D593291EB30AA09C767
                                                                                                                                                                                                                                                                                                                                                                                Function 006AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: __floor_pentium4
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f7c9018dbdbc54740ff5642e56ba9fcb6258ccce58bf01fd4c1282e482846d3e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 10b98cb7c29874ad2b9a587640f1c2cd3644f299ab2ed589c17f7062b66805ce
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f7c9018dbdbc54740ff5642e56ba9fcb6258ccce58bf01fd4c1282e482846d3e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7C26C71E046288FDB25EF68DD407EAB7B6EB4A304F1441EAD40DE7241E779AE818F41
                                                                                                                                                                                                                                                                                                                                                                                Function 006E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E64DC
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 006E6639
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(0070FCF8,00000000,00000001,0070FB68,?), ref: 006E6650
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 006E68D4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: .lnk
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 886957087-24824748
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bf9d3e1638532914707d9943ff5b3d7627e2f1bfa0d8e145be9c8fb0bb994f97
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fed576bfd9cbd975b43de1f6c6e79af97ef63fea6e5ff102e723cee70b5b728a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bf9d3e1638532914707d9943ff5b3d7627e2f1bfa0d8e145be9c8fb0bb994f97
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B4D14A71608341AFC354DF24C881D6BB7EAFF94344F00896DF5998B2A1EB70E905CBA6
                                                                                                                                                                                                                                                                                                                                                                                Function 006F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(?,?,00000000), ref: 006F22E8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006EE4EC: GetWindowRect.USER32(?,?), ref: 006EE504
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 006F2312
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 006F2319
                                                                                                                                                                                                                                                                                                                                                                                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 006F2355
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 006F2381
                                                                                                                                                                                                                                                                                                                                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006F23DF
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2387181109-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0cc57a22fd8f21895618049e74d37942d6e4808d21f4edc464790fe62ab78141
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8deb49fdbc37799ae53a44d2f186a2d12077973a595391fe23ecf8aa4e25621f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0cc57a22fd8f21895618049e74d37942d6e4808d21f4edc464790fe62ab78141
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F431D2B250531A9FC721DF14C845FABBBAAFF84314F000A1DF5859B291DB75E908CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 006E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 006E9B78
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 006E9C8B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006E3874: GetInputState.USER32 ref: 006E38CB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E3966
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 006E9BA8
                                                                                                                                                                                                                                                                                                                                                                                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 006E9C75
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1972594611-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c86ffaa851573963ba89729e1b2959f1459cb9c2eb7119501f18e569fc440677
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: eeeb063f53ac07b99c96f0261408bce4bd4238404140a650bc9d1c167257b33c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c86ffaa851573963ba89729e1b2959f1459cb9c2eb7119501f18e569fc440677
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB419371901249AFDF55EF65C845AEEBBFAEF05710F208159E405A3291EB309E84CF64
                                                                                                                                                                                                                                                                                                                                                                                Function 0068997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00689A4E
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00689B23
                                                                                                                                                                                                                                                                                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 00689B36
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Color$LongProcWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3131106179-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7c4b9c2b492edfe163904c8f6e15f0956cba7603c6b5d2f6c1b5292e8416aabf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 849fa6ebcf95dd1eddf0c0323367ef2450a02327bb6b7b48874c10d218a443cd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c4b9c2b492edfe163904c8f6e15f0956cba7603c6b5d2f6c1b5292e8416aabf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14A10870208444FEE72DBA2D8C59EBB269FEB42350B18430DF502D6BD2CA299D42DB75
                                                                                                                                                                                                                                                                                                                                                                                Function 006F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006F307A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006F304E: _wcslen.LIBCMT ref: 006F309B
                                                                                                                                                                                                                                                                                                                                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006F185D
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F1884
                                                                                                                                                                                                                                                                                                                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 006F18DB
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F18E6
                                                                                                                                                                                                                                                                                                                                                                                • closesocket.WSOCK32(00000000), ref: 006F1915
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1601658205-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 24c376d6215201500c6c98c4b5576e96f5dd09b9a8ebc6e1983d76855e3524c3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1576cd9913819ef752b4d1f4778e1a4e250d51e194e23c64c4b95dd89af1c5b8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24c376d6215201500c6c98c4b5576e96f5dd09b9a8ebc6e1983d76855e3524c3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0E51E271A00200AFEB50AF24C886F7A77E6AB45758F04C55CFA1A5F3C3CB75AD418BA5
                                                                                                                                                                                                                                                                                                                                                                                Function 00678060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-1546025612
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f2196a70a0cdd221ab29ea0aeb651d65c63b4fed6ee129ab56fd7a3a01620663
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 38ebf0cc22cf6e9fdb2dce523df1a7c834876fe5191706fab05b717d9fb44a9d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f2196a70a0cdd221ab29ea0aeb651d65c63b4fed6ee129ab56fd7a3a01620663
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83A24BB1A4061ACFDF24CF58C9447EDB7B3BB54314F2481A9E81AA7385DB749EC18B90
                                                                                                                                                                                                                                                                                                                                                                                Function 006D8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006D82AA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: lstrlen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ($tbs$|
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1659193697-2660408474
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8966e74fe2bee3e1e9195968167cfed73aabd306fee2491f17c201aa803a4e49
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e9873711f6f4e30f295321e42ded264d2b1c84f4b251ba7e683acc0911f62ad1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8966e74fe2bee3e1e9195968167cfed73aabd306fee2491f17c201aa803a4e49
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E322474A007059FCB28CF59C485AAAB7F1FF48720B15C56EE49ADB3A1EB70E941CB44
                                                                                                                                                                                                                                                                                                                                                                                Function 006DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 006DAAAC
                                                                                                                                                                                                                                                                                                                                                                                • SetKeyboardState.USER32(00000080), ref: 006DAAC8
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 006DAB36
                                                                                                                                                                                                                                                                                                                                                                                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 006DAB88
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 432972143-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1995eeea4ad40a99f5ae8413a17eb99e02871c66991037560c604fade7f72cf0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 58486ae467673966998d6f03328183cc9acf913d69c57ab4bef0b7e504b2ece3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1995eeea4ad40a99f5ae8413a17eb99e02871c66991037560c604fade7f72cf0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0731E730E48248AFFB358BA5CC05BFA7BA7AB45310F14431BF581963D1D7758982C766
                                                                                                                                                                                                                                                                                                                                                                                Function 006ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetReadFile.WININET(?,?,00000400,?), ref: 006ECE89
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 006ECEEA
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000000), ref: 006ECEFE
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorEventFileInternetLastRead
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 234945975-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b2ffe914a763c5988e9f2095f8132fdc78e68aabc52a1f20988c15275910e3ed
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: beccdf7b0771cf83dae1778141de482a57092e864e234e7d8cfbb0764150f822
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b2ffe914a763c5988e9f2095f8132fdc78e68aabc52a1f20988c15275910e3ed
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7221B0B1501305EFDB20DF66C945BAA77FEEF00324F10851EE54692251EB74ED069B54
                                                                                                                                                                                                                                                                                                                                                                                Function 006A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 006A271A
                                                                                                                                                                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006A2724
                                                                                                                                                                                                                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 006A2731
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3906539128-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d3348355d6e18502bbb5dd6322ce06f5e816aa6eafaa56b3b965b821f23820f8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d2b009685461924580e4b70c4c33b10c02de2a464d0e23a43245530dbcb9a5a6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d3348355d6e18502bbb5dd6322ce06f5e816aa6eafaa56b3b965b821f23820f8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F31D774951219ABCB61DF68DC887DCBBB9AF08310F5042DAE80CA7261E7349F818F49
                                                                                                                                                                                                                                                                                                                                                                                Function 006E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 006E51DA
                                                                                                                                                                                                                                                                                                                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006E5238
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000), ref: 006E52A1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1682464887-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9ea81d06aeeefc7403cfbb504ee987f737237546cd24e7f373bfb11163164737
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0f364f34a23409a382a79674e78f54d2ff343e8c67cc0e3b7b7e3e621861286c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ea81d06aeeefc7403cfbb504ee987f737237546cd24e7f373bfb11163164737
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 16318175A00608DFDB00DF54D884EADBBF5FF49318F088099E9099B392CB35E945CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 006D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00690668
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00690685
                                                                                                                                                                                                                                                                                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006D170D
                                                                                                                                                                                                                                                                                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006D173A
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006D174A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 577356006-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 88b582261a00ab2096d119002e443da34e19a4b8ed0515a33dd4810bfdc7463d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 901ff2b4a00147bf0e894986316c313451e61d11619324c0806f005a7761f49d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88b582261a00ab2096d119002e443da34e19a4b8ed0515a33dd4810bfdc7463d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 281191B2814304FFD728AF54DC86D6AB7BEEF45714B20862EE45657251EB70FC418B24
                                                                                                                                                                                                                                                                                                                                                                                Function 006DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006DD608
                                                                                                                                                                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006DD645
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006DD650
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 33631002-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 174a0019e6b69f8a491b7e6e6f0c9d5d4dd787377cf3c4a67f09a06c26004bd5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cd0c6f456e9e0cb191867f646fa1e1fb1ece7a8943de78b0fb7741584d07a6c6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 174a0019e6b69f8a491b7e6e6f0c9d5d4dd787377cf3c4a67f09a06c26004bd5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3117C71E01228BBDB108F949C44FAFBBBCEB45B50F108252F904E7290D6704A018BE1
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006D168C
                                                                                                                                                                                                                                                                                                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006D16A1
                                                                                                                                                                                                                                                                                                                                                                                • FreeSid.ADVAPI32(?), ref: 006D16B1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3429775523-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: daad593da668e68418c9e35de6ab4f7bdd38a1a66766d9f5df7f30488e8198af
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 17bfc7f825cb7c6243d9534415fe044ec6d0eb72a0690e8c13bd19921f51aa8b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: daad593da668e68418c9e35de6ab4f7bdd38a1a66766d9f5df7f30488e8198af
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C1F0F471950309FBEB00DFE49D89AAEBBBDEB08604F508665E601E2181E774AA448A54
                                                                                                                                                                                                                                                                                                                                                                                Function 006AC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: /
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-2043925204
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 21438cb14a2550ca90814277c10c375de1293ddbc36bc80f349b50cc7b36498c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: efbc038ad93da3bf5c0da9b75b5977fd61ca26d8f122158989477b0db5271789
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 21438cb14a2550ca90814277c10c375de1293ddbc36bc80f349b50cc7b36498c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09413876500219AFCB20AFB9CC48EFB77BAEB85324F10826DF905D7280E6709E418F54
                                                                                                                                                                                                                                                                                                                                                                                Function 0069CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ef17894b82aab676bba5a325d0665c010ce4505b213c050d981308eac1509cdd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF022C71E002199FDF14CFA9C8806EDBBF6EF48324F254169D819EB784D730AA41CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 0067CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Variable is not of type 'Object'.$p#t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-112919048
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9b7665c511ff8bc65699b1a70c467d68b08b1b74fe515fae650b00de8b509b5a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5c358c0bde1d87c5ad2e844dd3a3b34c08961f7f11cff5613dd334bfb29043bb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9b7665c511ff8bc65699b1a70c467d68b08b1b74fe515fae650b00de8b509b5a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD326970900218DBEF14DF94C895BEDB7B6FF09314F24815DE80AAB292D735AE46CB64
                                                                                                                                                                                                                                                                                                                                                                                Function 006E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 006E6918
                                                                                                                                                                                                                                                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 006E6961
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2295610775-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 947c7f8642ad9866c01d330701340da41102521c1e6da6f487cfe699ed890afc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1b9463302de2485d3907a102fffbfdd6c914e729aa7d7b7fde63a429195b95c5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 947c7f8642ad9866c01d330701340da41102521c1e6da6f487cfe699ed890afc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2116A316042419FD710DF2AD484A1ABBE6AF85328F14C69DF4698B6A2CB34EC05CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 006E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006F4891,?,?,00000035,?), ref: 006E37E4
                                                                                                                                                                                                                                                                                                                                                                                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,006F4891,?,?,00000035,?), ref: 006E37F4
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3479602957-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b3d482402e347a3ad7039301f5be15c8bcd9f198e88cb264628df3165dce336e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 841a68f8be6b43a45c35a8c1dd8d04264626ad3b85127f94749b657472215f5f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b3d482402e347a3ad7039301f5be15c8bcd9f198e88cb264628df3165dce336e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D2F0E5B06053286AEB6117678C4DFEB7AAFEFC5761F004269F509D3281D9609944C7B4
                                                                                                                                                                                                                                                                                                                                                                                Function 006DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 006DB25D
                                                                                                                                                                                                                                                                                                                                                                                • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 006DB270
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InputSendkeybd_event
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3536248340-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f16b53f4834e38bb762124d329ed94b5624a7d2192897313c29e0cd199999b38
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3cc6a68b199da0e745ca464219dc43af8d6e9d5d1054a5db623073dbf490d5c8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f16b53f4834e38bb762124d329ed94b5624a7d2192897313c29e0cd199999b38
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EAF01D7580424DEBDB059FA0C805BFE7BB4FF04305F10910AF955A5291C77986119F94
                                                                                                                                                                                                                                                                                                                                                                                Function 006D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006D11FC), ref: 006D10D4
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,006D11FC), ref: 006D10E9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 81990902-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 84be9e45c6ef7dfd654ca07e1607cb5792bc221d92150f6cd79603f859cdfafa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 46c20c320bde43a41f00bd585bb5258cbb47b8c40dd3fcf1a1b9cf8e938daa8d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84be9e45c6ef7dfd654ca07e1607cb5792bc221d92150f6cd79603f859cdfafa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96E04F32014600FEE7262B11FC09E7377AAEF04310B10CA2EF5A5805B1DF626CA0DB14
                                                                                                                                                                                                                                                                                                                                                                                Function 006A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006A6766,?,?,00000008,?,?,006AFEFE,00000000), ref: 006A6998
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ExceptionRaise
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3997070919-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6156ebac41bace9312e5be4c7ba5ec063e0e231092e7ab685d31402e8cdbe0a9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a3ca89041be8c11858654c7a76362106a3e7d4cef5c5d9f9e0c7f2ac6c431539
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6156ebac41bace9312e5be4c7ba5ec063e0e231092e7ab685d31402e8cdbe0a9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2BB15C316106098FD715DF28C486BA57BA1FF06364F298658F99ACF2A2C335ED92CF40
                                                                                                                                                                                                                                                                                                                                                                                Function 0068B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-3916222277
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0861548fc4884e8a698b3d0a22a660f25ba03ebfa5b899b735fc9bcde5ae1598
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e69f43b6e120bdf9817a736dfeee9b3e4354293545ea1bd70e4222b4c2b54f61
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0861548fc4884e8a698b3d0a22a660f25ba03ebfa5b899b735fc9bcde5ae1598
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8123F719002299FCB64DF58C881BFEB7F6EF48710F14819AE849EB255DB749E81CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 006EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • BlockInput.USER32(00000001), ref: 006EEABD
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BlockInput
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3456056419-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fad790f1eedf0c97eec1df6c1d2801c7f9b7f122c009dbc64d81dec9eaf2fc94
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 45ac511ce3d4a0d1413732f225b13d166eacafc852b1020274d23a73c4bd95a6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fad790f1eedf0c97eec1df6c1d2801c7f9b7f122c009dbc64d81dec9eaf2fc94
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36E01A312002049FD710EF6AD804E9AB7EAAF98764F00C42AFC49C7391DB75A8418B94
                                                                                                                                                                                                                                                                                                                                                                                Function 006909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006903EE), ref: 006909DA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3192549508-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fee48fc4bb3d385b3742698177ea594db40dbc20c562a15dca8d526a750de7de
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d2c6353d11635bc6c6f2afbf2921a28eac48b3cf7e29d5e049570d608fc08f07
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fee48fc4bb3d385b3742698177ea594db40dbc20c562a15dca8d526a750de7de
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                                                                                                                                Function 0069781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 600c706b53c8cec7f464b991d299d74476c2c35dfbbeff719d537747ed4a440a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3151577163C7055BDF3885688A5E7FE638FDB12344F18052AE886DBF82CA15DE02D35A
                                                                                                                                                                                                                                                                                                                                                                                Function 006E2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0&t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-1335626371
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4657106a671a6def841a96fbbe330a846b32f089605168d712d58f073b94582e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4ec33d8b717dd6125ef4a60a41261e9c190e7d244f0790750704d9f64913e49f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4657106a671a6def841a96fbbe330a846b32f089605168d712d58f073b94582e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7821BB326216158BD728CF79C82367E73EAA754310F55862EE4A7C37D1DE39A904C784
                                                                                                                                                                                                                                                                                                                                                                                Function 006A6DD9 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3fbda54e2d29ed2c1884433e812c8764dc29c0a0602ae28f83afedd32b6f4fce
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5b6a5d6654ec4945f997715164e40fccf062fc6d88736be5ee3fca1c2b66cce0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3fbda54e2d29ed2c1884433e812c8764dc29c0a0602ae28f83afedd32b6f4fce
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE325921D29F014DD723A638DC26375A68AAFB73C5F15D737F816B5AA6EF28C8834500
                                                                                                                                                                                                                                                                                                                                                                                Function 0068CC39 Relevance: .6, Instructions: 635COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4fc2448083a78cc00330a842726dacf61094dd738fd114faff188bb2f699d05f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 60a55a3ee363cf6663528ece8625731bc0976a63cfbf76cf9513c98cac361142
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4fc2448083a78cc00330a842726dacf61094dd738fd114faff188bb2f699d05f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4532E232A001558BDF28DB69C494FBD7BA3EB45330F28866ED44E9B391D234DD82DB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00677920 Relevance: .6, Instructions: 563COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5f21d7874f4fc541bafcc9332bd190594e94c56fe2b3ddfc5172370c5e7d30a1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d3f57010b662a4be628a147a0843fd6e7c937cc9414a0d9e0e713b0e991656e5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f21d7874f4fc541bafcc9332bd190594e94c56fe2b3ddfc5172370c5e7d30a1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 08228EB0A0460ADFDF14DF64C881AEEB7F6FF48300F148629E816A7391EB359955CB54
                                                                                                                                                                                                                                                                                                                                                                                Function 006791C0 Relevance: .5, Instructions: 475COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7cb930fb1fb5423f3f1ada616c73d906259ef89cc73665f923353392a0182c62
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a3c890dde3c21c41461adf0e3ccecc95703a6402574fe2987d90f492986be7b9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cb930fb1fb5423f3f1ada616c73d906259ef89cc73665f923353392a0182c62
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E902A5B1E00109EBDF14DF64D881AEDB7B6FF44300F118169E81A9B391EB35AE51CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 006919B0 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 30acc038b4d9680d7fc67dbd61ba7563b6961a83360091eb32513305232dfdf5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF9164722090A34ADF29427A857407DFFEB5A933B232A079ED4F2CEAC5FD1489559620
                                                                                                                                                                                                                                                                                                                                                                                Function 00697A4A Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: dcf119e018fb6a221f6d94768c3021512bc0ee05773571fca7f8348e6f58aff4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b3ae5705654a454ec745c634d1ed06598ddf214b30b1f92e97f8ae441431c2ee
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dcf119e018fb6a221f6d94768c3021512bc0ee05773571fca7f8348e6f58aff4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 186199312383099ADE389E2C8C91BFE238FDF51710F14091EE842DBF85D611AE42C359
                                                                                                                                                                                                                                                                                                                                                                                Function 00691706 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0bfcca08c61f153fac9b42c5937d3911dc71e439eb7a09d9997846dc7bdf0204
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 948176726090A30ADF6D427985340BEFFE75A933A132A079DD4F2CFAC1EE24C554E620
                                                                                                                                                                                                                                                                                                                                                                                Function 0068D065 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 63c9eed2c04aca1725ffcbd979b223e08e69ffb947ffda22a5b8dce636f02a93
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2c4fdb82f27f25bc8f9f9796138d48d0707a8a3709e0bb7b8329e984bf41a198
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 63c9eed2c04aca1725ffcbd979b223e08e69ffb947ffda22a5b8dce636f02a93
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C051437154E7C0CFE73AAB258446D347F70EE62A1434A86CEC4814B8BBEB71951ECB85
                                                                                                                                                                                                                                                                                                                                                                                Function 006F2ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 006F2B30
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 006F2B43
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32 ref: 006F2B52
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 006F2B6D
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 006F2B74
                                                                                                                                                                                                                                                                                                                                                                                • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 006F2CA3
                                                                                                                                                                                                                                                                                                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 006F2CB1
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2CF8
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(00000000,?), ref: 006F2D04
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006F2D40
                                                                                                                                                                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2D62
                                                                                                                                                                                                                                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2D75
                                                                                                                                                                                                                                                                                                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2D80
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 006F2D89
                                                                                                                                                                                                                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2D98
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 006F2DA1
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2DA8
                                                                                                                                                                                                                                                                                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 006F2DB3
                                                                                                                                                                                                                                                                                                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2DC5
                                                                                                                                                                                                                                                                                                                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,0070FC38,00000000), ref: 006F2DDB
                                                                                                                                                                                                                                                                                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 006F2DEB
                                                                                                                                                                                                                                                                                                                                                                                • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 006F2E11
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 006F2E30
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2E52
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F303F
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                                                                                                                                                                                                                                                                • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2211948467-3613752883
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1ade0377f288c2048322b36008c67b5e41035751701883a41b1b10854ffb0b84
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0f00116804fe1d30e79d9c51df982502eeb2e4742594fa67a58e7ff4abc2e69b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ade0377f288c2048322b36008c67b5e41035751701883a41b1b10854ffb0b84
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41028C71500209EFDB15DFA4CC89EAE7BBAFB49714F008258F915AB2A1DB74AD01CF64
                                                                                                                                                                                                                                                                                                                                                                                Function 007070D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,00000000), ref: 0070712F
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00707160
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 0070716C
                                                                                                                                                                                                                                                                                                                                                                                • SetBkColor.GDI32(?,000000FF), ref: 00707186
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00707195
                                                                                                                                                                                                                                                                                                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 007071C0
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000010), ref: 007071C8
                                                                                                                                                                                                                                                                                                                                                                                • CreateSolidBrush.GDI32(00000000), ref: 007071CF
                                                                                                                                                                                                                                                                                                                                                                                • FrameRect.USER32(?,?,00000000), ref: 007071DE
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 007071E5
                                                                                                                                                                                                                                                                                                                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 00707230
                                                                                                                                                                                                                                                                                                                                                                                • FillRect.USER32(?,?,?), ref: 00707262
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00707284
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: GetSysColor.USER32(00000012), ref: 00707421
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: SetTextColor.GDI32(?,?), ref: 00707425
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: GetSysColorBrush.USER32(0000000F), ref: 0070743B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: GetSysColor.USER32(0000000F), ref: 00707446
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: GetSysColor.USER32(00000011), ref: 00707463
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00707471
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: SelectObject.GDI32(?,00000000), ref: 00707482
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: SetBkColor.GDI32(?,00000000), ref: 0070748B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: SelectObject.GDI32(?,?), ref: 00707498
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007074B7
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007074CE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 007073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007074DB
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4124339563-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: de2b53ed9f82885febc8279b6bce61e07699e9b4fbcf0c350ba5f8297b8fca61
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a2427c9073794a6c3147dce035c03abd1dd55eb120b2e2d7b6067401a511f742
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de2b53ed9f82885febc8279b6bce61e07699e9b4fbcf0c350ba5f8297b8fca61
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4BA1C072408301EFD7029F60DC48A5BBBE9FF89320F108B19F962961E0DB78E850CB51
                                                                                                                                                                                                                                                                                                                                                                                Function 00688D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?,?), ref: 00688E14
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 006C6AC5
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006C6AFE
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006C6F43
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00688F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00688BE8,?,00000000,?,?,?,?,00688BBA,00000000,?), ref: 00688FC5
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001053), ref: 006C6F7F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006C6F96
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 006C6FAC
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 006C6FB7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0$@U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2760611726-975001249
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d170739995704483a597b7aacaabb31daf33ffabfe69df646786994baee41b59
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f988ef7456915119be41adc5b25143620da2f5b67fa974698144abb4eaf252b4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d170739995704483a597b7aacaabb31daf33ffabfe69df646786994baee41b59
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76128A34204241DFDB25EF14C848FB5B7A6FB49300F94866EF5958B261CB35EC92CB99
                                                                                                                                                                                                                                                                                                                                                                                Function 006F2711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(00000000), ref: 006F273E
                                                                                                                                                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006F286A
                                                                                                                                                                                                                                                                                                                                                                                • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006F28A9
                                                                                                                                                                                                                                                                                                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006F28B9
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 006F2900
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(00000000,?), ref: 006F290C
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 006F2955
                                                                                                                                                                                                                                                                                                                                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006F2964
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000011), ref: 006F2974
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 006F2978
                                                                                                                                                                                                                                                                                                                                                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 006F2988
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006F2991
                                                                                                                                                                                                                                                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 006F299A
                                                                                                                                                                                                                                                                                                                                                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006F29C6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 006F29DD
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 006F2A1D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006F2A31
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 006F2A42
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 006F2A77
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000011), ref: 006F2A82
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006F2A8D
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 006F2A97
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2910397461-2771358697
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 696f3e0107f4fc7b76ac07c2351ef2b14acd9523eb28f22d6df584193ee07d2d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 35ed174138669326dddc4491227292bb579106d225a59dbbcebefca7269b22d0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 696f3e0107f4fc7b76ac07c2351ef2b14acd9523eb28f22d6df584193ee07d2d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 11B15FB5A40209AFEB14DF68CC45FAE7BA9EB05710F108255FA14E7290DB74ED40CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 007073E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000012), ref: 00707421
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,?), ref: 00707425
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0070743B
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00707446
                                                                                                                                                                                                                                                                                                                                                                                • CreateSolidBrush.GDI32(?), ref: 0070744B
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000011), ref: 00707463
                                                                                                                                                                                                                                                                                                                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00707471
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 00707482
                                                                                                                                                                                                                                                                                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 0070748B
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00707498
                                                                                                                                                                                                                                                                                                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 007074B7
                                                                                                                                                                                                                                                                                                                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007074CE
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 007074DB
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0070752A
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00707554
                                                                                                                                                                                                                                                                                                                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 00707572
                                                                                                                                                                                                                                                                                                                                                                                • DrawFocusRect.USER32(?,?), ref: 0070757D
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000011), ref: 0070758E
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,00000000), ref: 00707596
                                                                                                                                                                                                                                                                                                                                                                                • DrawTextW.USER32(?,007070F5,000000FF,?,00000000), ref: 007075A8
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 007075BF
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(?), ref: 007075CA
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 007075D0
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(?), ref: 007075D5
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,?), ref: 007075DB
                                                                                                                                                                                                                                                                                                                                                                                • SetBkColor.GDI32(?,?), ref: 007075E5
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1996641542-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 10680741f5e6c3d6feb862981613dc0ff5cb6e11486854ca2ef22dcdbfb79e1d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4c698fd6d2f536f6d0fd030573a2f09124f4ace0c535c9791a85ade6c55e9d71
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 10680741f5e6c3d6feb862981613dc0ff5cb6e11486854ca2ef22dcdbfb79e1d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38616175D00218EFDB059FA4DC49ADE7FB9EB09320F108315F911A72E1DB79A950CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 006E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 006E4AED
                                                                                                                                                                                                                                                                                                                                                                                • GetDriveTypeW.KERNEL32(?,0070CB68,?,\\.\,0070CC08), ref: 006E4BCA
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,0070CB68,?,\\.\,0070CC08), ref: 006E4D36
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$DriveType
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2907320926-4222207086
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c7e6caea054d39fba99a6d7fc18fb41c87f8d5b3d1fcf8a0facc0f1bcca0d96e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b188f6abcccd14c55385fd8d1d9e04df31f4f0fc1e9dd5011be44d9d4b8afc6c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c7e6caea054d39fba99a6d7fc18fb41c87f8d5b3d1fcf8a0facc0f1bcca0d96e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 37618F70707385ABDB04DF35C9829A977A2AB04B00B34C519F80AAB792DF29ED42DB55
                                                                                                                                                                                                                                                                                                                                                                                Function 00700241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 007002E5
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 0070031F
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00700389
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 007003F1
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00700475
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007004C5
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00700504
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068F9F2: _wcslen.LIBCMT ref: 0068F9FD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006D2258
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006D228A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1103490817-1753161424
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 775e3e70a4661396d2c8f8947e6038a157c518169c95d71efe3567a1957e758f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9e9c113604106fbd775eeaacad27402b2204cfa94cbccfce7921d3fe8cd2ed4a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 775e3e70a4661396d2c8f8947e6038a157c518169c95d71efe3567a1957e758f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1FE1A271208201CFC764DF24C451A2AB3E6BF98724F14866DF8969B3E2DB38ED45CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 00700FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00701128
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 0070113D
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 00701144
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00701199
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 007011B9
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007011ED
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0070120B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0070121D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000421,?,?), ref: 00701232
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00701245
                                                                                                                                                                                                                                                                                                                                                                                • IsWindowVisible.USER32(00000000), ref: 007012A1
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007012BC
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007012D0
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 007012E8
                                                                                                                                                                                                                                                                                                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 0070130E
                                                                                                                                                                                                                                                                                                                                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 00701328
                                                                                                                                                                                                                                                                                                                                                                                • CopyRect.USER32(?,?), ref: 0070133F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000412,00000000), ref: 007013AA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ($0$tooltips_class32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 698492251-4156429822
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 20895521438700935bae97159d7ecc6596d2146e130dcf14b68f99af15ef36bc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: eac9baa84f8ec238a7903e951229ccf19310ddb58f817442a7291fa91a529a1c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20895521438700935bae97159d7ecc6596d2146e130dcf14b68f99af15ef36bc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6CB19A71604341EFD714DF64C884B6ABBE5FF84704F408A1CF9999B2A1DB35E844CBA6
                                                                                                                                                                                                                                                                                                                                                                                Function 00688891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00688968
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000007), ref: 00688970
                                                                                                                                                                                                                                                                                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0068899B
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000008), ref: 006889A3
                                                                                                                                                                                                                                                                                                                                                                                • GetSystemMetrics.USER32(00000004), ref: 006889C8
                                                                                                                                                                                                                                                                                                                                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006889E5
                                                                                                                                                                                                                                                                                                                                                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006889F5
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00688A28
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00688A3C
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(00000000,000000FF), ref: 00688A5A
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000011), ref: 00688A76
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00688A81
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068912D: GetCursorPos.USER32(?), ref: 00689141
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068912D: ScreenToClient.USER32(00000000,?), ref: 0068915E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068912D: GetAsyncKeyState.USER32(00000001), ref: 00689183
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068912D: GetAsyncKeyState.USER32(00000002), ref: 0068919D
                                                                                                                                                                                                                                                                                                                                                                                • SetTimer.USER32(00000000,00000000,00000028,006890FC), ref: 00688AA8
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$AutoIt v3 GUI
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1458621304-2077007950
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5a2269d1d72d0ed81502d0ab0458222897edf5788aee94cc24627e9fde7d8d75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e292f0fe049c92a77113830cafe8063d66d9b63c768a3dd094945118f36f81da
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a2269d1d72d0ed81502d0ab0458222897edf5788aee94cc24627e9fde7d8d75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6CB15D75A00209DFDF14EF68CC45BEE3BB6FB48314F508229FA15AB290DB74A841CB59
                                                                                                                                                                                                                                                                                                                                                                                Function 006D5A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(00000063), ref: 006D5A2E
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006D5A40
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 006D5A57
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 006D5A6C
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 006D5A72
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 006D5A82
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 006D5A88
                                                                                                                                                                                                                                                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006D5AA9
                                                                                                                                                                                                                                                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006D5AC3
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 006D5ACC
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006D5B33
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 006D5B6F
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 006D5B75
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 006D5B7C
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 006D5BD3
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(?,?), ref: 006D5BE0
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000005,00000000,?), ref: 006D5C05
                                                                                                                                                                                                                                                                                                                                                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006D5C2F
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 895679908-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e9071c0ca5da6a311cfe11efd4aabf59db701a3367422df5f83f2defa766695e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 549e0144f63d7bafb84393e0ce737fe214a942d5bd8d3b4d97ef366b97106a79
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9071c0ca5da6a311cfe11efd4aabf59db701a3367422df5f83f2defa766695e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7C716F31900B05DFDB21DFA8CD55AAEBBF6FF48704F10461AE143A66A0DB75E940CB54
                                                                                                                                                                                                                                                                                                                                                                                Function 0070091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 007009C6
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00700A01
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00700A54
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00700A8A
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00700B06
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00700B81
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068F9F2: _wcslen.LIBCMT ref: 0068F9FD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006D2BFA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1103490817-383632319
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 12fa7edd9e623404519a0025117f33da2dbd51a880fec528de1c63e729ff74b1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 306b09a6e2f24b963d4c380a53561e7afd80b490e0f28e1792780382172332dd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 12fa7edd9e623404519a0025117f33da2dbd51a880fec528de1c63e729ff74b1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07E1AE71208301DFC754DF24C450A2AB7E2BF98324F148A5DF89A9B3A2DB38ED45CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 006D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006D1114
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1120
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D112F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1136
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006D114D
                                                                                                                                                                                                                                                                                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006D0DF5
                                                                                                                                                                                                                                                                                                                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006D0E29
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 006D0E40
                                                                                                                                                                                                                                                                                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 006D0E7A
                                                                                                                                                                                                                                                                                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006D0E96
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 006D0EAD
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 006D0EB5
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 006D0EBC
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006D0EDD
                                                                                                                                                                                                                                                                                                                                                                                • CopySid.ADVAPI32(00000000), ref: 006D0EE4
                                                                                                                                                                                                                                                                                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006D0F13
                                                                                                                                                                                                                                                                                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006D0F35
                                                                                                                                                                                                                                                                                                                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006D0F47
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0F6E
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D0F75
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0F7E
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D0F85
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0F8E
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D0F95
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 006D0FA1
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D0FA8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1193: GetProcessHeap.KERNEL32(00000008,006D0BB1,?,00000000,?,006D0BB1,?), ref: 006D11A1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,006D0BB1,?), ref: 006D11A8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006D0BB1,?), ref: 006D11B7
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4175595110-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 928871adc3f51b7526fb8d6638c58b74363bd9261a757b87d7939d2bfc9b4315
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 836f0e3bb80143aba7e723c97debb08c8034f8066f5400fb9399bd3ebf8f046e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 928871adc3f51b7526fb8d6638c58b74363bd9261a757b87d7939d2bfc9b4315
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8716F72D0020AEBEF21DFA4DC49FEEBBB9BF05300F148216F915A6291DB759905CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 0070833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 0070835A
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 0070836E
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00708391
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 007083B4
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007083F2
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0070361A,?), ref: 0070844E
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00708487
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007084CA
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00708501
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0070850D
                                                                                                                                                                                                                                                                                                                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0070851D
                                                                                                                                                                                                                                                                                                                                                                                • DestroyIcon.USER32(?), ref: 0070852C
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00708549
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00708555
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                                                                                                                                                                                                                                                • String ID: .dll$.exe$.icl$@U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 799131459-1639919054
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0e057f0269ad623b7d87102cfe6b77bb6ba620d822a9fd106360663c0cebab71
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 678b275b1f108bc1f449337ece912b9545d1d8d8ddda8db9439918338ec9ad86
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e057f0269ad623b7d87102cfe6b77bb6ba620d822a9fd106360663c0cebab71
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C461EE71500219FAEB54CF64CC81BBE77ACBB08B21F108709F855D61D1DFB8AA91CBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 006FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006FC4BD
                                                                                                                                                                                                                                                                                                                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0070CC08,00000000,?,00000000,?,?), ref: 006FC544
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 006FC5A4
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006FC5F4
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006FC66F
                                                                                                                                                                                                                                                                                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 006FC6B2
                                                                                                                                                                                                                                                                                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 006FC7C1
                                                                                                                                                                                                                                                                                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 006FC84D
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 006FC881
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 006FC88E
                                                                                                                                                                                                                                                                                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 006FC960
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                                                                                                                                                                                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 9721498-966354055
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 029efc7dc9d482b96b7b42935138a887f50a25cfbd431b93f3bed29fc5a7d05b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d502c211b537eb71d196fb8d3a3192a2754ec1e8f5f39ec74323159bec38a47e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 029efc7dc9d482b96b7b42935138a887f50a25cfbd431b93f3bed29fc5a7d05b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3127A352042059FDB54DF24C981E6ABBE6FF88724F14885CF95A9B3A2DB31EC41CB85
                                                                                                                                                                                                                                                                                                                                                                                Function 006FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1256254125-909552448
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 15a59103e9784133d0b0560c6d09221a85c2b49145686ff508be85c978b66bd0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a3196f16ff9bd80926c90e57bcc90088531d5bdbd10ef4fbc72a38f88ea86990
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 15a59103e9784133d0b0560c6d09221a85c2b49145686ff508be85c978b66bd0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB71F27260012E8BCB20DE7CCA519FA3397AFA0774F214528FA6697385EA35DD45C3A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00677778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-1645009161
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f040da710b767446c2dd377c6c8d106661f6ca8b2f6f4f693a79b0cfcbc4df02
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6b6594b348eb29eb1a123d16122a5f32f511e989c3067384951d0f3350905454
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f040da710b767446c2dd377c6c8d106661f6ca8b2f6f4f693a79b0cfcbc4df02
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C181FBB1604205BFDF65AF64CC42FEE37ABAF15300F048128F909AB296EB74D951C7A5
                                                                                                                                                                                                                                                                                                                                                                                Function 0070856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00708592
                                                                                                                                                                                                                                                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 007085A2
                                                                                                                                                                                                                                                                                                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 007085AD
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 007085BA
                                                                                                                                                                                                                                                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 007085C8
                                                                                                                                                                                                                                                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007085D7
                                                                                                                                                                                                                                                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 007085E0
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 007085E7
                                                                                                                                                                                                                                                                                                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007085F8
                                                                                                                                                                                                                                                                                                                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,0070FC38,?), ref: 00708611
                                                                                                                                                                                                                                                                                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00708621
                                                                                                                                                                                                                                                                                                                                                                                • GetObjectW.GDI32(?,00000018,000000FF), ref: 00708641
                                                                                                                                                                                                                                                                                                                                                                                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00708671
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 00708699
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007086AF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3840717409-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bd0e34d7fe67fee954d1bf3dc07806171dc1f8214affd4601dd70fe6ccade01d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fef4db96f3d22c5dd1d29420dca76733941e1e89e767fbb7e12b8582f661bc8b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd0e34d7fe67fee954d1bf3dc07806171dc1f8214affd4601dd70fe6ccade01d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF414C71600208EFDB119FA5CC88EAE7BB8FF89715F108258F905E72A0DB399D01CB25
                                                                                                                                                                                                                                                                                                                                                                                Function 006D30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[s
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 176396367-691173368
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0b5aa5d379020f217f10e730503a8d7b32d94c198a049fe518ac63ea10c8066a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f7a017c7ccd8b3f7d290792f94386030da3c90c0fc6ab691979c92c368197316
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0b5aa5d379020f217f10e730503a8d7b32d94c198a049fe518ac63ea10c8066a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FE1D432E00626ABCF549FA4C8516EEFBB6BF54710F54822BE456E7340DB30AF4587A1
                                                                                                                                                                                                                                                                                                                                                                                Function 0070911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryPoint.SHELL32(?,?), ref: 00709147
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00707674: ClientToScreen.USER32(?,?), ref: 0070769A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00707674: GetWindowRect.USER32(?,?), ref: 00707710
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00707674: PtInRect.USER32(?,?,00708B89), ref: 00707720
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 007091B0
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007091BB
                                                                                                                                                                                                                                                                                                                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007091DE
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00709225
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0070923E
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 00709255
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 00709277
                                                                                                                                                                                                                                                                                                                                                                                • DragFinish.SHELL32(?), ref: 0070927E
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00709371
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$p#t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 221274066-2918349957
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 67ce6ce8b5cc8b056e8e51924178e265540037d1a7b518aa2544676f3d593a84
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 95bea6864283e363dce9de3e3acc54390e6fdf14af80ede72e1f12f808a41909
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67ce6ce8b5cc8b056e8e51924178e265540037d1a7b518aa2544676f3d593a84
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B618871108301AFD701EF60CC85DAFBBE9EF89350F004A2EF695921A1DB349A49CB66
                                                                                                                                                                                                                                                                                                                                                                                Function 006900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006900C6
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0074070C,00000FA0,EFC43283,?,?,?,?,006B23B3,000000FF), ref: 0069011C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006B23B3,000000FF), ref: 00690127
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006B23B3,000000FF), ref: 00690138
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0069014E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0069015C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0069016A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00690195
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006901A0
                                                                                                                                                                                                                                                                                                                                                                                • ___scrt_fastfail.LIBCMT ref: 006900E7
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900A3: __onexit.LIBCMT ref: 006900A9
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                • WakeAllConditionVariable, xrefs: 00690162
                                                                                                                                                                                                                                                                                                                                                                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00690122
                                                                                                                                                                                                                                                                                                                                                                                • InitializeConditionVariable, xrefs: 00690148
                                                                                                                                                                                                                                                                                                                                                                                • SleepConditionVariableCS, xrefs: 00690154
                                                                                                                                                                                                                                                                                                                                                                                • kernel32.dll, xrefs: 00690133
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                                                                                                                                                                                                                                                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 66158676-1714406822
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 28104ff3620a2ec61c26e1337d78d4201518cc95c3e35147db0697054c875466
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1d74f1f66d9a00a7c08c56f118d28354d55c5a508f631c4209af495d7c6e6e32
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28104ff3620a2ec61c26e1337d78d4201518cc95c3e35147db0697054c875466
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7821DA72644710EFFF225BB4AC09B6937D9DB05B61F14432AF901A2AD1DF7858008A99
                                                                                                                                                                                                                                                                                                                                                                                Function 006E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharLowerBuffW.USER32(00000000,00000000,0070CC08), ref: 006E4527
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E453B
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E4599
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E45F4
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E463F
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E46A7
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068F9F2: _wcslen.LIBCMT ref: 0068F9FD
                                                                                                                                                                                                                                                                                                                                                                                • GetDriveTypeW.KERNEL32(?,00736BF0,00000061), ref: 006E4743
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                                                                                                                                                                                                                                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2055661098-1000479233
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 613d9d7945c2115d3bc0e90f52539de0c36061d26d02d59e7663851585464bb6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4358a9c1b0e613d9d106cf324919749ce16a9b165629012781b1015b8fac889d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 613d9d7945c2115d3bc0e90f52539de0c36061d26d02d59e7663851585464bb6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8AB1F4716093429FC710DF39C8909AAB7E6BFA5720F508A1DF496C7391EB30D845CBA2
                                                                                                                                                                                                                                                                                                                                                                                Function 00706CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(00000000,?), ref: 00706DEB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00706E5F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00706E81
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00706E94
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00706EB5
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00670000,00000000), ref: 00706EE4
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00706EFD
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 00706F16
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 00706F1D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00706F35
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00706F4D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689944: GetWindowLongW.USER32(?,000000EB), ref: 00689952
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0$@U=u$tooltips_class32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2429346358-1130792468
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1e43481e1d4e52d8b9d93997ab649c74df8d4334a4e4260234bada270ad0445c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: db5c046a0f1a0c83a11a0a61f0605d3c5278f525b9ac6afd20dd6fce8de2f7e7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e43481e1d4e52d8b9d93997ab649c74df8d4334a4e4260234bada270ad0445c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2719974100341EFDB21DF18DC54EAABBE9FB89300F444A1EF989872A1CB79E956CB15
                                                                                                                                                                                                                                                                                                                                                                                Function 0067326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(00741990), ref: 006B2F8D
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(00741990), ref: 006B303D
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 006B3081
                                                                                                                                                                                                                                                                                                                                                                                • SetForegroundWindow.USER32(00000000), ref: 006B308A
                                                                                                                                                                                                                                                                                                                                                                                • TrackPopupMenuEx.USER32(00741990,00000000,?,00000000,00000000,00000000), ref: 006B309D
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006B30A9
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 36266755-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 12036b50c64eac29de874c2a50156011d723d7acc710ec84ad9717acb091a029
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ffc8fd55a0e9d98331ce6de9ee6d22408742d87410d5ca3fa520ceb991968e97
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 12036b50c64eac29de874c2a50156011d723d7acc710ec84ad9717acb091a029
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CB710AB0640216BEEB219F25CC59FEABFAAFF04364F204306F5246A3D1C7B19950D754
                                                                                                                                                                                                                                                                                                                                                                                Function 006EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006EC4B0
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006EC4C3
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006EC4D7
                                                                                                                                                                                                                                                                                                                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006EC4F0
                                                                                                                                                                                                                                                                                                                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 006EC533
                                                                                                                                                                                                                                                                                                                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006EC549
                                                                                                                                                                                                                                                                                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006EC554
                                                                                                                                                                                                                                                                                                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006EC584
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006EC5DC
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006EC5F0
                                                                                                                                                                                                                                                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 006EC5FB
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3800310941-3916222277
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 89c763eb7f0c2b632a4f80c5030ca9aec357e0616ee0081af24e7dd655ebf6c2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: aa9acb23e9a288607340cac32de04122cec3343b3b36e12a8487a0869bb40499
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 89c763eb7f0c2b632a4f80c5030ca9aec357e0616ee0081af24e7dd655ebf6c2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B518DB1101348FFDB229F62C948AAB7BFDFF08364F00861AF94596250DB34E9159F60
                                                                                                                                                                                                                                                                                                                                                                                Function 006E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(00000000), ref: 006E1502
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 006E150B
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006E1517
                                                                                                                                                                                                                                                                                                                                                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006E15FB
                                                                                                                                                                                                                                                                                                                                                                                • VarR8FromDec.OLEAUT32(?,?), ref: 006E1657
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 006E1708
                                                                                                                                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 006E178C
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006E17D8
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006E17E7
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(00000000), ref: 006E1823
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1234038744-3931177956
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5ab1ffedba9bb3550374beedbd7143218f4a01ff854e1b619bce01b84d8131d1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1748d6fa86bf9f3c57b8d25920ec8c0bebbea06af2582455468cdccb3c13bd9f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ab1ffedba9bb3550374beedbd7143218f4a01ff854e1b619bce01b84d8131d1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90D1F6B1601245DBDB00AF66D889BBDB7B7BF46700F10815AF846AF285DB34DC42EB61
                                                                                                                                                                                                                                                                                                                                                                                Function 006FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006FB6AE,?,?), ref: 006FC9B5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FC9F1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA68
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA9E
                                                                                                                                                                                                                                                                                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006FB6F4
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006FB772
                                                                                                                                                                                                                                                                                                                                                                                • RegDeleteValueW.ADVAPI32(?,?), ref: 006FB80A
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 006FB87E
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 006FB89C
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 006FB8F2
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006FB904
                                                                                                                                                                                                                                                                                                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 006FB922
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 006FB983
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 006FB994
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                                                                                                                                                                                                                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 146587525-4033151799
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 278804df9edef6401e6fd5adbf2cba1a0fba2392d8a962e81b86961715fc708e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 863cce5a82a7463230aece935edf4af96cefc5f8ac0337b68c279ca6daa6dafd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 278804df9edef6401e6fd5adbf2cba1a0fba2392d8a962e81b86961715fc708e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 61C19B30208205EFD710DF24C495F6ABBE6BF85318F14D55CE6AA8B3A2CB75E845CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 0070541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00705504
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00705515
                                                                                                                                                                                                                                                                                                                                                                                • CharNextW.USER32(00000158), ref: 00705544
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00705585
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0070559B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007055AC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$CharNext
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1350042424-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 327be51e2c9e1a74ccf626f39fd0134430ecbab8084fce7a0057384488596e6b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a734c807abe54dd48093e0c75fb0ce57bfccc1ba558619dafd82c643c879ed4c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 327be51e2c9e1a74ccf626f39fd0134430ecbab8084fce7a0057384488596e6b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13615B74900608EBDF219F54CC84DFF7BB9EB05720F108245F925AA2D0DB799A81DF60
                                                                                                                                                                                                                                                                                                                                                                                Function 006F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 006F25D8
                                                                                                                                                                                                                                                                                                                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006F25E8
                                                                                                                                                                                                                                                                                                                                                                                • CreateCompatibleDC.GDI32(?), ref: 006F25F4
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,?), ref: 006F2601
                                                                                                                                                                                                                                                                                                                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 006F266D
                                                                                                                                                                                                                                                                                                                                                                                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006F26AC
                                                                                                                                                                                                                                                                                                                                                                                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006F26D0
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,?), ref: 006F26D8
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(?), ref: 006F26E1
                                                                                                                                                                                                                                                                                                                                                                                • DeleteDC.GDI32(?), ref: 006F26E8
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,?), ref: 006F26F3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                                                                                                                                                                                                                                • String ID: (
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2598888154-3887548279
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 845867d17f135648529b27a44cc09dcfb8b495c034d81ef7932c7af24ff84e75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 54db8824486c2797e9829b2e7b455b45d54158bae1769e59836f914865038e97
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 845867d17f135648529b27a44cc09dcfb8b495c034d81ef7932c7af24ff84e75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 596102B5D00219EFCF05CFA4D884AAEBBF6FF48310F208629EA55A7250D774A951CF54
                                                                                                                                                                                                                                                                                                                                                                                Function 006DE6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • timeGetTime.WINMM ref: 006DE6B4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068E551: timeGetTime.WINMM(?,?,006DE6D4), ref: 0068E555
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(0000000A), ref: 006DE6E1
                                                                                                                                                                                                                                                                                                                                                                                • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 006DE705
                                                                                                                                                                                                                                                                                                                                                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006DE727
                                                                                                                                                                                                                                                                                                                                                                                • SetActiveWindow.USER32 ref: 006DE746
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006DE754
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 006DE773
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(000000FA), ref: 006DE77E
                                                                                                                                                                                                                                                                                                                                                                                • IsWindow.USER32 ref: 006DE78A
                                                                                                                                                                                                                                                                                                                                                                                • EndDialog.USER32(00000000), ref: 006DE79B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$BUTTON
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1194449130-2582809321
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 262f18fa949fe684f5aae555c054d75495ecfa1341515ff92f1469c0e097e107
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 050a483cf642a69000bafb7abe46d150fe8b6c33a3453b5634a3619e15c583ae
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 262f18fa949fe684f5aae555c054d75495ecfa1341515ff92f1469c0e097e107
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD21C5B8740244EFEB116F20EC89E363B6AE756348F508627F405857A2DF7B9C11CA1D
                                                                                                                                                                                                                                                                                                                                                                                Function 006ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 006ADAA1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD659
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD66B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD67D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD68F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6A1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6B3
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6C5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6D7
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6E9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6FB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD70D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD71F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD731
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADA96
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADAB8
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADACD
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADAD8
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADAFA
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADB0D
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADB1B
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADB26
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADB5E
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADB65
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADB82
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ADB9A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 161543041-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 70c4333d9b0fda56b661903dcec1ea116630b195453d43c24483f06b4a5941f2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1ebd3fb5c79a634863c6bc585441c4c363ad43937f4dce768ced554f2dc7d1a4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70c4333d9b0fda56b661903dcec1ea116630b195453d43c24483f06b4a5941f2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30315C716442069FEBA1BA39E845B9BB7EAFF02B10F11442DE44AD7691DA30BC408F25
                                                                                                                                                                                                                                                                                                                                                                                Function 006D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 006D369C
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006D36A7
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006D3797
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 006D380C
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgCtrlID.USER32(?), ref: 006D385D
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 006D3882
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 006D38A0
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(00000000), ref: 006D38A7
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 006D3921
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 006D395D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %s%u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4010501982-679674701
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 472d3d753beb559b23184a643ef1a5508fef0de3aca4e324bfcf0d679ba89dea
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 63149561687df5882569f05b0d7f50496c3859f4612485d26879a620cabb4fb2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 472d3d753beb559b23184a643ef1a5508fef0de3aca4e324bfcf0d679ba89dea
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E491D771600616EFD715DF24C895FEAB7AAFF44350F00861AF999C6390EB30EA45CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 006D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 006D4994
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 006D49DA
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006D49EB
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 006D49F7
                                                                                                                                                                                                                                                                                                                                                                                • _wcsstr.LIBVCRUNTIME ref: 006D4A2C
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 006D4A64
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 006D4A9D
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 006D4AE6
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 006D4B20
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 006D4B8B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ThumbnailClass
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1311036022-1241985126
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2a97f58f14057c472e584355c894eff02500db627c4879966750a178325df52a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a98f9e25d6cf7a22c60696f235545f149ec19f354c600e9561211ab150df462c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2a97f58f14057c472e584355c894eff02500db627c4879966750a178325df52a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E91DC318082059FDB05CF10C985BAA77EAFF94304F04856BFD8A9A296DF34ED45CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00708D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00708D5A
                                                                                                                                                                                                                                                                                                                                                                                • GetFocus.USER32 ref: 00708D6A
                                                                                                                                                                                                                                                                                                                                                                                • GetDlgCtrlID.USER32(00000000), ref: 00708D75
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00708E1D
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00708ECF
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(?), ref: 00708EEC
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemID.USER32(?,00000000), ref: 00708EFC
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00708F2E
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00708F70
                                                                                                                                                                                                                                                                                                                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00708FA1
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1026556194-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d45ef84036d5c21a111bc7b7d87d3e210d71b001c0ce3636dc5ed4b14222c942
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 83dcb21141dbffcd3a08ed9f95094dd1422a7298ec9608683938b8f8443d331e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d45ef84036d5c21a111bc7b7d87d3e210d71b001c0ce3636dc5ed4b14222c942
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62819B71508301EBDB61DF24C884AAB7BE9FB88314F144B1DF994972D1DB78E940CBA6
                                                                                                                                                                                                                                                                                                                                                                                Function 006FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006FCC64
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 006FCC8D
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006FCD48
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 006FCCAA
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 006FCCBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006FCCCF
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006FCD05
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006FCD28
                                                                                                                                                                                                                                                                                                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 006FCCF3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2734957052-4033151799
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f7674d3f8ee197b39b3cdfaa5254bbff9e690a10a737bc635b382cc58d56e17b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 447dacb32c4b7b5dc55ce00c400781d541affac7b0b29563d51eac4516926066
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f7674d3f8ee197b39b3cdfaa5254bbff9e690a10a737bc635b382cc58d56e17b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64318FB190112CFBDB218B50DD88EFFBB7DEF45760F004265BA06E2240DB349A45DAA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006DEA5D
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006DEA73
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006DEA84
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006DEA96
                                                                                                                                                                                                                                                                                                                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006DEAA7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: SendString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2420728520-1007645807
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 476e65c7ed42a4627f93ee45605f253c6f43f440b7114ccf25ff2635b5d3e1d7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1436753c3632b2f9b69f81b0a54a1e02250c22f4f3f7e8b10628e3fbd05cbe9c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 476e65c7ed42a4627f93ee45605f253c6f43f440b7114ccf25ff2635b5d3e1d7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B11A371A90269B9E720F7A1DC4AEFF6B7DEBD1B00F04842E7415A61D1EE701905C5B0
                                                                                                                                                                                                                                                                                                                                                                                Function 00688BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00688F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00688BE8,?,00000000,?,?,?,?,00688BBA,00000000,?), ref: 00688FC5
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00688C81
                                                                                                                                                                                                                                                                                                                                                                                • KillTimer.USER32(00000000,?,?,?,?,00688BBA,00000000,?), ref: 00688D1B
                                                                                                                                                                                                                                                                                                                                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 006C6973
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00688BBA,00000000,?), ref: 006C69A1
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00688BBA,00000000,?), ref: 006C69B8
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00688BBA,00000000), ref: 006C69D4
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 006C69E6
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 641708696-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: aaf47ed9c6cc6f320251c6b64ddc872e59e06962512f3fb33fec506f31cb1681
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1ca89b431d50c5069f4d831457f0a260187e184a06f5488fdec6be964d5a07eb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aaf47ed9c6cc6f320251c6b64ddc872e59e06962512f3fb33fec506f31cb1681
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB618A34502701DFDB22AF18DA48B6577F2FB41312F94861DE0429B6A4CB79B9C1CF98
                                                                                                                                                                                                                                                                                                                                                                                Function 00689838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689944: GetWindowLongW.USER32(?,000000EB), ref: 00689952
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00689862
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ColorLongWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 259745315-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 328cb60297e60e9bf15300406d301148116d0df6aa026a30e1c8f777823848aa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e52e004d583642cb01283189c00defd61ce432b574e60e9f3f89c614e2938649
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 328cb60297e60e9bf15300406d301148116d0df6aa026a30e1c8f777823848aa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0419671104645EFDB216F389C44BB93766EB06334F188B19F9A28B2E1DB759C42DB20
                                                                                                                                                                                                                                                                                                                                                                                Function 006A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: .i
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-2647164722
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1b14888ffa7fd3247c819b13f1829bcb15691249795c54fbf02785fbe466236f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 961b7e7fbb97fe650085df5b5cc1538ef016e3655e26618a537898f926b2ee69
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1b14888ffa7fd3247c819b13f1829bcb15691249795c54fbf02785fbe466236f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ECC1BE74904249AFDF11EFA8C841BEDBBB6AF0A350F244199E914A7392CB349E41CF65
                                                                                                                                                                                                                                                                                                                                                                                Function 007050D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00705186
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(?,00000000), ref: 007051C7
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(?,00000005,?,00000000), ref: 007051CD
                                                                                                                                                                                                                                                                                                                                                                                • SetFocus.USER32(?,?,00000005,?,00000000), ref: 007051D1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00706FBA: DeleteObject.GDI32(00000000), ref: 00706FE6
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0070520D
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0070521A
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0070524D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00705287
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00705296
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3210457359-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 13a5069e973a49cdbb1f52b41b4e2ef9b8201fb5861d674d9071d545811cda96
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b55219d3064e295784a008a0e40e111670cd3c32dbd18cd714c80928bc60ec33
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13a5069e973a49cdbb1f52b41b4e2ef9b8201fb5861d674d9071d545811cda96
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF516D70A50A08FEEF209F28CC49B9A3BE5BF05321F148315F615962E1C779A990DF55
                                                                                                                                                                                                                                                                                                                                                                                Function 00688B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006C6890
                                                                                                                                                                                                                                                                                                                                                                                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006C68A9
                                                                                                                                                                                                                                                                                                                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006C68B9
                                                                                                                                                                                                                                                                                                                                                                                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006C68D1
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006C68F2
                                                                                                                                                                                                                                                                                                                                                                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00688874,00000000,00000000,00000000,000000FF,00000000), ref: 006C6901
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006C691E
                                                                                                                                                                                                                                                                                                                                                                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00688874,00000000,00000000,00000000,000000FF,00000000), ref: 006C692D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1268354404-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 83eee9bb4338ece1ca243d5ade8f9222c247673d17612b82696b385c777376f1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 11c1b7d6e4c4fd7440daaefc27349bbe68ec01c10865dc60e74c4faa74f3f2c3
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83eee9bb4338ece1ca243d5ade8f9222c247673d17612b82696b385c777376f1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73518A70600209EFDB20EF24CC95FAA7BB6FB98750F10861CF906972A0DB75E991DB54
                                                                                                                                                                                                                                                                                                                                                                                Function 00708B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068912D: GetCursorPos.USER32(?), ref: 00689141
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068912D: ScreenToClient.USER32(00000000,?), ref: 0068915E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068912D: GetAsyncKeyState.USER32(00000001), ref: 00689183
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068912D: GetAsyncKeyState.USER32(00000002), ref: 0068919D
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00708B6B
                                                                                                                                                                                                                                                                                                                                                                                • ImageList_EndDrag.COMCTL32 ref: 00708B71
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseCapture.USER32 ref: 00708B77
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00708C12
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00708C25
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00708CFF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$p#t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1924731296-1671718924
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 26ad840af0730cef041afe6d42d582a95b37b67aacd6f5fd49b19aee2495d13f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1f5cfae1fbae934faa860fb288faed7cd4dfbb7e8c492b389b92cfede825494a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26ad840af0730cef041afe6d42d582a95b37b67aacd6f5fd49b19aee2495d13f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A519C70104200EFE744EF20CC5AFAA77E5FB88714F404A6DF996972E1CB78A944CB66
                                                                                                                                                                                                                                                                                                                                                                                Function 006D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,006BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 006D9717
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000,?,006BF7F8,00000001), ref: 006D9720
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,006BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 006D9742
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000,?,006BF7F8,00000001), ref: 006D9745
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 006D9866
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 747408836-2268648507
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0a7ea43bb1d54b172ae17a86b866e66076228e8f664058fbf908c0abc6f624bd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e88a33200d289d6c6b95c8ef20e301fcce249961e015a2614b5129aea5058c98
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0a7ea43bb1d54b172ae17a86b866e66076228e8f664058fbf908c0abc6f624bd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90416C72C00219AADF44EBE0CD82DEEB37AAF15300F108529F60972192EB356F48CB75
                                                                                                                                                                                                                                                                                                                                                                                Function 006D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006D07A2
                                                                                                                                                                                                                                                                                                                                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006D07BE
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006D07DA
                                                                                                                                                                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006D0804
                                                                                                                                                                                                                                                                                                                                                                                • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 006D082C
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006D0837
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006D083C
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 323675364-22481851
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a9881d0144a0a05913e14e8e5d124ddd87658b370fac4669da6d6e9cfdd7caaf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0ed36880d66cbd24368fc716ecac9dd041d006da39c4ec6a8097c00d51165bd1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9881d0144a0a05913e14e8e5d124ddd87658b370fac4669da6d6e9cfdd7caaf
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 08410A72C10229EBDF15EBA4DC95DEDB779BF44350F048229E905A72A1EB346E04CBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 006E7AF3
                                                                                                                                                                                                                                                                                                                                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006E7B8F
                                                                                                                                                                                                                                                                                                                                                                                • SHGetDesktopFolder.SHELL32(?), ref: 006E7BA3
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(0070FD08,00000000,00000001,00736E6C,?), ref: 006E7BEF
                                                                                                                                                                                                                                                                                                                                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006E7C74
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(?,?), ref: 006E7CCC
                                                                                                                                                                                                                                                                                                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 006E7D57
                                                                                                                                                                                                                                                                                                                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006E7D7A
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(00000000), ref: 006E7D81
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(00000000), ref: 006E7DD6
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 006E7DDC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2762341140-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b00f3f1b122351b12ac265a0450b98c68824a84e3092a9c1406340fee61c174f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 74d85b28364ef1653eaa2a56cf05f6dde8a0b73ccb3bd0f83c222d77a08fedef
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b00f3f1b122351b12ac265a0450b98c68824a84e3092a9c1406340fee61c174f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6C12B75A04249EFDB14DFA5C884DAEBBFAFF48304B148598E4199B361DB30ED41CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 006CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006CFAAF
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 006CFB08
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 006CFB1A
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 006CFB3A
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 006CFB8D
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 006CFBA1
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006CFBB6
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 006CFBC3
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006CFBCC
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006CFBDE
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006CFBE9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2706829360-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 57ab6e5875efb83cf7ff0572f58bac005fb5340e0f5dd77bfef27b310f1f8488
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 181a7d2077082db62aa23a4df02752fdf68bbdb2603554ef9a56183b50353b3c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57ab6e5875efb83cf7ff0572f58bac005fb5340e0f5dd77bfef27b310f1f8488
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C412D35A00219DFCB01DFA4C854EAEBBBAFF48354F008169F945A7261CB34A945CBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 006F05BC
                                                                                                                                                                                                                                                                                                                                                                                • inet_addr.WSOCK32(?), ref: 006F061C
                                                                                                                                                                                                                                                                                                                                                                                • gethostbyname.WSOCK32(?), ref: 006F0628
                                                                                                                                                                                                                                                                                                                                                                                • IcmpCreateFile.IPHLPAPI ref: 006F0636
                                                                                                                                                                                                                                                                                                                                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006F06C6
                                                                                                                                                                                                                                                                                                                                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006F06E5
                                                                                                                                                                                                                                                                                                                                                                                • IcmpCloseHandle.IPHLPAPI(?), ref: 006F07B9
                                                                                                                                                                                                                                                                                                                                                                                • WSACleanup.WSOCK32 ref: 006F07BF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Ping
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1028309954-2246546115
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2f04d0780e6f550ec04aedc5b3d1c6c97b03f1cca1982c6116d04f693ce592bc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d1b404af06126d7a71fa56de53c2b067b551c47ffdcd0e2d3ac908411c2ffa36
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f04d0780e6f550ec04aedc5b3d1c6c97b03f1cca1982c6116d04f693ce592bc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3918E75608205EFE720DF15C488F6ABBE2AF44318F1486A9F5698B7A2C774EC41CF91
                                                                                                                                                                                                                                                                                                                                                                                Function 006F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharLower
                                                                                                                                                                                                                                                                                                                                                                                • String ID: cdecl$none$stdcall$winapi
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 707087890-567219261
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b61a649eb86b0846f53e913e0a36edb375c92a6729bcc895bbb516ab15cda69e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b0d4fb03cef16580cd8028ebff4218d2a3d975d9bd7987a602127c064e313e1b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b61a649eb86b0846f53e913e0a36edb375c92a6729bcc895bbb516ab15cda69e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6B519E32A0451A9FCF24DF68C9518FEB7A7AF64320B2042A9E626E7385DB34DD41C790
                                                                                                                                                                                                                                                                                                                                                                                Function 006F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32 ref: 006F3774
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 006F377F
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,0070FB78,?), ref: 006F37D9
                                                                                                                                                                                                                                                                                                                                                                                • IIDFromString.OLE32(?,?), ref: 006F384C
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 006F38E4
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006F3936
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 636576611-1287834457
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 794677a61ddf62d41f43bb5227679d897deb79fe51f6d09ff04ec3758700744a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 728f2c91f1d38496da38f506c30bada1fc0b5692b257b17e82ad5021262fc189
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 794677a61ddf62d41f43bb5227679d897deb79fe51f6d09ff04ec3758700744a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E61D1B0608315AFD310EF54C849BAAB7E6EF48740F10490DFA959B391C774EE49CB9A
                                                                                                                                                                                                                                                                                                                                                                                Function 006E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 006E8257
                                                                                                                                                                                                                                                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 006E8267
                                                                                                                                                                                                                                                                                                                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006E8273
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006E8310
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006E8324
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006E8356
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006E838C
                                                                                                                                                                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 006E8395
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1464919966-438819550
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8b8de0d4136bbafba370b92f13ddcedf7fdb087948877f7ac7b0fa76c5a5177c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b853d72387f06cd189d779f5f7453ed9a5d1df8741c063e7a422ef5aad83057c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8b8de0d4136bbafba370b92f13ddcedf7fdb087948877f7ac7b0fa76c5a5177c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD6199B25043459FDB10EF60C8409AEB3EAFF89310F04892EF989D7251EB35E905CB96
                                                                                                                                                                                                                                                                                                                                                                                Function 00675BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 00675C7A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00675D0A: GetClientRect.USER32(?,?), ref: 00675D30
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00675D0A: GetWindowRect.USER32(?,?), ref: 00675D71
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00675D0A: ScreenToClient.USER32(?,?), ref: 00675D99
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32 ref: 006B46F5
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006B4708
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 006B4716
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 006B472B
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 006B4733
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006B47C4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$U
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4009187628-4110099822
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ff04cab823feff746b34d3623d4e0730097820abae555fc08eb0b52d3d73e30c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 56a4a7f4c551402d30aa8a1c753861c8eb8c94e1a921f43753e733e01f9e371b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff04cab823feff746b34d3623d4e0730097820abae555fc08eb0b52d3d73e30c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4971E274400205DFCF228F64C984AFA3BB7FF4A320F148269E9565A2A7DF359881DF50
                                                                                                                                                                                                                                                                                                                                                                                Function 006E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006E33CF
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006E33F0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LoadString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4099089115-3080491070
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 914ee0225153708be1f30a3218153586735e62053c173846205b4c464a2cb66d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6332a1571332a80c1a12b0048c682531dd1445d6e6c6d1eb5d57d30b44fc5816
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 914ee0225153708be1f30a3218153586735e62053c173846205b4c464a2cb66d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D51B371C00259BADF15EBA0CD46DEEB7BAAF04300F108169F10973292EB352F58DB65
                                                                                                                                                                                                                                                                                                                                                                                Function 006DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1256254125-769500911
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d0dd55cb5235c66e5266a18c2eaf958ac2582ca189e5d53547ca5e023834583b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c07c7f91aa5c155e24574400f58cf3a28726ab3745187b0d98c3348f4dea4880
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d0dd55cb5235c66e5266a18c2eaf958ac2582ca189e5d53547ca5e023834583b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A841D632E00066DBCB205F7D88905FE77A7AFA5B54B26522BE425D7388E735CD82C790
                                                                                                                                                                                                                                                                                                                                                                                Function 006E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 006E53A0
                                                                                                                                                                                                                                                                                                                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006E5416
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006E5420
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 006E54A7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                                                                                                                                                                                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4194297153-14809454
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 137c6b1f4c97a972b94867157da81f31cc24563ba5cdc47bbb07ecf85cce6d39
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ac43dc98e7e11303504f6328590e8d4bdc9b4bfb5596be3d7344ed7217b4b1ad
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 137c6b1f4c97a972b94867157da81f31cc24563ba5cdc47bbb07ecf85cce6d39
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C731AC35A01244DFDB11DF69C484AEABBF6EB04309F14C069E406CB392DB74DD86CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 00702D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 00702D1B
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 00702D23
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00702D2E
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00702D3A
                                                                                                                                                                                                                                                                                                                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00702D76
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00702D87
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00705A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00702DC2
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00702DE1
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3864802216-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5c46a6ed5478c71badfeb5d148e0a94dbef7f655205e1987a8c25bde12ca5f6f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 18cb79cbd0deb4d6c4d8faab1d6acae193abd08c1e2e90dfddf28b907ba514ef
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c46a6ed5478c71badfeb5d148e0a94dbef7f655205e1987a8c25bde12ca5f6f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE316D72201214BBEB254F50CC89FEB3BADEB09715F048255FE089A2D1CA799C51C7A4
                                                                                                                                                                                                                                                                                                                                                                                Function 006D209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32 ref: 006D20AB
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 006D20C0
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006D214D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClassMessageNameParentSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1290815626-1428604138
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b41218cc65bf28b62434a9ab74909b6c7e2e0f6123a34fe110dccd862d7c2bd5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 68ed46c8bfa399d94d3b2bc990430dafc8b527ab5ceaa0c4279dfb5e14adf831
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b41218cc65bf28b62434a9ab74909b6c7e2e0f6123a34fe110dccd862d7c2bd5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D110AB6A84707B9FA112221DC17DE6779DCF25724F20821BF704A52D2EE6558435618
                                                                                                                                                                                                                                                                                                                                                                                Function 00703A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00703A9D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00703AA0
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00703AC7
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00703AEA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00703B62
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00703BAC
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00703BC7
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00703BE2
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00703BF6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00703C13
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$LongWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 312131281-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 80e6f623b977867c3f8ceacc3ee196842cc9995b33ddcde4c2c7264bf7cafc8e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 269b861bf384352031b736c45742c4dfefb650575eecca30bf3f780f22a4608e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80e6f623b977867c3f8ceacc3ee196842cc9995b33ddcde4c2c7264bf7cafc8e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7616975900248EFDB10DFA8CC81EEE77F8AB09704F10419AFA15E72D1D778AA81DB64
                                                                                                                                                                                                                                                                                                                                                                                Function 006DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 006DB151
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB165
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 006DB16C
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB17B
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 006DB18D
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB1A6
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB1B8
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB1FD
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB212
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB21D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2156557900-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 709db3c2d605a110ee1de1f72972df33dfe07301fd35ddd4137e5bcf8a55d026
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4d44701a26dec6edc523765ff71ca5aaf90a7c126363c9b605291b6250ed83b5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 709db3c2d605a110ee1de1f72972df33dfe07301fd35ddd4137e5bcf8a55d026
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A331D476900204FFDB219F24EC84BBD7B7BBB11355F159206F904CA360C7B99A008F28
                                                                                                                                                                                                                                                                                                                                                                                Function 006A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2C94
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CA0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CAB
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CB6
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CC1
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CCC
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CD7
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CE2
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CED
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2CFB
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 16eb800bdcc9db27220e0630d8d83e263acc969aadf3040afade471a50d397ef
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2480636e62e1127ee3153409c0342597b5ae6d768a43d625537857cd2ceee47b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 16eb800bdcc9db27220e0630d8d83e263acc969aadf3040afade471a50d397ef
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA11B476140109AFCB82FF59D852CDE3BA6BF06B50F4144A8FA485B222D631FE509F95
                                                                                                                                                                                                                                                                                                                                                                                Function 006E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006E35E4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00742390,?,00000FFF,?), ref: 006E360A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LoadString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4099089115-2391861430
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cdc57023362fe5a18ff10077f2502dee27b35ade4aade72b6731eaa45ebea60f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 289bf1b2a2f7ef3a4ab94a7f569c0a6635afa9856c27148bfbcd2b5301964a42
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cdc57023362fe5a18ff10077f2502dee27b35ade4aade72b6731eaa45ebea60f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B6519171C00259BADF15EBA0CC46EEEBB76AF14300F148129F10972292EB355B99DF69
                                                                                                                                                                                                                                                                                                                                                                                Function 00703886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00703925
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0070393A
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00703954
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00703999
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 007039C6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007039F4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$Window_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$SysListView32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2147712094-1908207174
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 45b8f4a1b36e9b1665477addd177c8265be09fd54c07bac0a3de18a97d0a1e0d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6a04596dacc7579b1bf9a65f365954b6a0a13a3359edfcdffeb357a65b6c391e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 45b8f4a1b36e9b1665477addd177c8265be09fd54c07bac0a3de18a97d0a1e0d
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3241B271A00219EBEF219F64CC49BEA77EDEF08354F10426AF958E72C1D7799980CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 00702DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00702E1C
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00702E4F
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00702E84
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00702EB6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00702EE0
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00702EF1
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00702F0B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LongWindow$MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2178440468-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1f9e6a0e6c944f76ce761bca823f7a13b9e8992206747e358760c08bfcb1f029
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fdae566cf3ca6a9e678b6a3c1bbfed0c9f183b755405ae6570089816d347c564
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f9e6a0e6c944f76ce761bca823f7a13b9e8992206747e358760c08bfcb1f029
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E311436684140EFDB219F58DC8CF6537E4EB4A750F1542A5FA048B2F2CB79A8829B04
                                                                                                                                                                                                                                                                                                                                                                                Function 006EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006EC272
                                                                                                                                                                                                                                                                                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006EC29A
                                                                                                                                                                                                                                                                                                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006EC2CA
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006EC322
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?), ref: 006EC336
                                                                                                                                                                                                                                                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 006EC341
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3113390036-3916222277
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 534321841cdee73a0bd96cbf20d4494e9afd67dbf064f1bc0ad7a32b2873500a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6b8dc29ae11dd4f7baabd4194764310d4b09079b7dc793e85ce2b8364c37bc74
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 534321841cdee73a0bd96cbf20d4494e9afd67dbf064f1bc0ad7a32b2873500a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4231A0B1501344AFD7229F66CC88AAB7BFEEB49760F14861DF446D3200DB34DD069B65
                                                                                                                                                                                                                                                                                                                                                                                Function 006D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006B3AAF,?,?,Bad directive syntax error,0070CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006D98BC
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000,?,006B3AAF,?), ref: 006D98C3
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006D9987
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 858772685-4153970271
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bdf7c62a71b00a9612c58ca43504a61b9cebf297fd6fb4b0da608edf8f7e6c4a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f0ee5a71202398247aa237a0f0fe28285e375a8d004a621424737556ab49968c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bdf7c62a71b00a9612c58ca43504a61b9cebf297fd6fb4b0da608edf8f7e6c4a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 94219171C0021AFBDF26AF90CC16EEE777AFF18300F04851AF519661A2EB359618DB25
                                                                                                                                                                                                                                                                                                                                                                                Function 006ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1282221369-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 133253ee5374471779c4172d7abc5b92c3ba4258a56ac5eefa124f9cd37f2f61
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a5c455049e7455b1a96b77c536fd450dc88ee893fd5376cb2bc9e6dd28625f22
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 133253ee5374471779c4172d7abc5b92c3ba4258a56ac5eefa124f9cd37f2f61
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E6159B2A04301AFDF21BFB89851AAA7B97AF03730F04416EFA5597381D7359D018FA5
                                                                                                                                                                                                                                                                                                                                                                                Function 006EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006EC182
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006EC195
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?), ref: 006EC1A9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006EC272
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006EC253: GetLastError.KERNEL32 ref: 006EC322
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006EC253: SetEvent.KERNEL32(?), ref: 006EC336
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006EC253: InternetCloseHandle.WININET(00000000), ref: 006EC341
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 337547030-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4bde984bd5a0a5102e1fa382b73acccb489b9f2b38515589985090938373ffef
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3f852aab8c719eeacf9336fcba470bb4d767cc59c85f59e8b132b2dc38c49155
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4bde984bd5a0a5102e1fa382b73acccb489b9f2b38515589985090938373ffef
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E31A371101781EFDB219FA6DC04AA6BBFAFF14320B00861DFA5683610DB34E9169B64
                                                                                                                                                                                                                                                                                                                                                                                Function 006D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D3A57
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: GetCurrentThreadId.KERNEL32 ref: 006D3A5E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006D25B3), ref: 006D3A65
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 006D25BD
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006D25DB
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006D25DF
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 006D25E9
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006D2601
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 006D2605
                                                                                                                                                                                                                                                                                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 006D260F
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006D2623
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 006D2627
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2014098862-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 42bcdcc8216e6f440b01744f77bfa3ac36723d3d482e0630b665d0cd65ee62ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 78124d093e3c95c5c994b836859b608e8672a83bf00d1a3de96a0930037dff10
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 42bcdcc8216e6f440b01744f77bfa3ac36723d3d482e0630b665d0cd65ee62ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5301D870790214FBFB2167689C8AF593F59DB5EB11F104246F314AF1D1CDE258448AAE
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,006D1449,?,?,00000000), ref: 006D180C
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,006D1449,?,?,00000000), ref: 006D1813
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006D1449,?,?,00000000), ref: 006D1828
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,006D1449,?,?,00000000), ref: 006D1830
                                                                                                                                                                                                                                                                                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,006D1449,?,?,00000000), ref: 006D1833
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006D1449,?,?,00000000), ref: 006D1843
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(006D1449,00000000,?,006D1449,?,?,00000000), ref: 006D184B
                                                                                                                                                                                                                                                                                                                                                                                • DuplicateHandle.KERNEL32(00000000,?,006D1449,?,?,00000000), ref: 006D184E
                                                                                                                                                                                                                                                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,006D1874,00000000,00000000,00000000), ref: 006D1868
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1957940570-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ef672dc6a7adb94e9f1a8c74c72bb4892f120e7c400fedcefb95a5c3decefa95
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: eb80c960bd1e4e1e56d19bb185b584f443b2bd7f861571f33673b222af157613
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef672dc6a7adb94e9f1a8c74c72bb4892f120e7c400fedcefb95a5c3decefa95
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E01ACB5640308FFE611EB65DC4AF577B6CEB89B11F018611FA05DB191CA749800CB24
                                                                                                                                                                                                                                                                                                                                                                                Function 006FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 006DD501
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 006DD50F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DD4DC: CloseHandle.KERNEL32(00000000), ref: 006DD5DC
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006FA16D
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006FA180
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006FA1B3
                                                                                                                                                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 006FA268
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(00000000), ref: 006FA273
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 006FA2C4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SeDebugPrivilege
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2533919879-2896544425
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b63b76156d641080ffb7930d799455b8103ac52e8299e6aae97cf7642896fe16
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5aff731c2cb228ab64cf7577421d54f0aa21ffd12b1a4c9f7018611e4f2106aa
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b63b76156d641080ffb7930d799455b8103ac52e8299e6aae97cf7642896fe16
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D61B0B02042429FD710DF58C494F69BBE2AF44318F18C58CE56A4B7A3C776ED45CB96
                                                                                                                                                                                                                                                                                                                                                                                Function 00692D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00692D4B
                                                                                                                                                                                                                                                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00692D53
                                                                                                                                                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00692DE1
                                                                                                                                                                                                                                                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00692E0C
                                                                                                                                                                                                                                                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 00692E61
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                                                                                                                                • String ID: &Hi$csm
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1170836740-3182968335
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 909f681e87e1e587ee92a4b9eb82afdf5526e11797724bdb8d726598732fcb99
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3205d1a90cf8b17c2e74eb8b6ecceb0443587f409363a963727d850fb2be1d8c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 909f681e87e1e587ee92a4b9eb82afdf5526e11797724bdb8d726598732fcb99
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A941A434A0121AABCF10DF68C855ADEBBBABF44324F148159E8146B792D7359A45CBD0
                                                                                                                                                                                                                                                                                                                                                                                Function 007081DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,006CF3AB,00000000,?,?,00000000,?,006C682C,00000004,00000000,00000000), ref: 0070824C
                                                                                                                                                                                                                                                                                                                                                                                • EnableWindow.USER32(?,00000000), ref: 00708272
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 007082D1
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(?,00000004), ref: 007082E5
                                                                                                                                                                                                                                                                                                                                                                                • EnableWindow.USER32(?,00000001), ref: 0070830B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0070832F
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 642888154-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4cd0432fc5fec056690d91500166435605558b17626b459ed0fe539a17edcb87
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f0f73eca5965833b47b16edb397b114f9d06b5fef432b7e5df41a817c7c5d6cd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4cd0432fc5fec056690d91500166435605558b17626b459ed0fe539a17edcb87
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3941A734601644EFDF61CF15C899BE87BE0FB4A714F1853A9E6484B2E2CB39A841CB56
                                                                                                                                                                                                                                                                                                                                                                                Function 006D4C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • IsWindowVisible.USER32(?), ref: 006D4C95
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006D4CB2
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006D4CEA
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006D4D08
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006D4D10
                                                                                                                                                                                                                                                                                                                                                                                • _wcsstr.LIBVCRUNTIME ref: 006D4D1A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 72514467-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 80db2615f86b0a78f4445892a3bc8d3820cf5ad363611ba26a01e00745e6b6c9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ecbd7b254e79d0211498ff6ea0c78597edc6f75a970f887ef498e9328570876d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80db2615f86b0a78f4445892a3bc8d3820cf5ad363611ba26a01e00745e6b6c9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9212632A04200BBEB265B39EC49E7B7B9EDF45750F10816EF809CA391EE75CC4187A0
                                                                                                                                                                                                                                                                                                                                                                                Function 006DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadIconW.USER32(00000000,00007F03), ref: 006DC913
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: IconLoad
                                                                                                                                                                                                                                                                                                                                                                                • String ID: blank$info$question$stop$warning
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2457776203-404129466
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e9d624c311c0e71f7b73fe18215acae04106180f67581b12c18cb07225661f46
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 52e4f56932625c58140859cf7a9a9701aba3c97470f322aa8a4e4dc35698d684
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9d624c311c0e71f7b73fe18215acae04106180f67581b12c18cb07225661f46
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA110D31E8930FBAEB015B55DC93CEA679DDF15374B50412FF504AA382EF745D029268
                                                                                                                                                                                                                                                                                                                                                                                Function 006C7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetClientRect.USER32(?), ref: 006C7452
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 006C7469
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowDC.USER32(?), ref: 006C7475
                                                                                                                                                                                                                                                                                                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 006C7484
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 006C7496
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000005), ref: 006C74B0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 272304278-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1c15c0363d9dfc0bd25dbc52de4c39a9cfafd076c29ec7d5465d5b788d05dbd3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: daa58f340d3dba5b5165cfac607ee21e4383d219b672dd9f3265269fe5f865c6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1c15c0363d9dfc0bd25dbc52de4c39a9cfafd076c29ec7d5465d5b788d05dbd3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF017831400205EFDB225F64DC08BAA7BB6FB04321F608264FA15A21A0CF352E52AF14
                                                                                                                                                                                                                                                                                                                                                                                Function 006DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$LocalTime
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 952045576-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 93a89ff810cfe9e4dbb9530c6e21bfcad32dad85b7d329cf7135e2ac6aefaef2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6f74209bb422ebd463b90c110a7ff70d944093fd40f6959a18d3bd15cc6144fb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93a89ff810cfe9e4dbb9530c6e21bfcad32dad85b7d329cf7135e2ac6aefaef2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DD418E65C1021865CF51EBB4C88A9CFB7AEAF45710F50856BF518E3622EB34E345C3E9
                                                                                                                                                                                                                                                                                                                                                                                Function 0068F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006C682C,00000004,00000000,00000000), ref: 0068F953
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,006C682C,00000004,00000000,00000000), ref: 006CF3D1
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006C682C,00000004,00000000,00000000), ref: 006CF454
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ShowWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1268545403-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ca43b4238af6012c062c7364d1455d49cb1c7e6e58f5f5f1de72d825ec9d365b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4761b7dd533359bf66a192223f631e206caa7a11c7099864f218f7b46d230085
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca43b4238af6012c062c7364d1455d49cb1c7e6e58f5f5f1de72d825ec9d365b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8410B31604680FACF39AB29C888BBA7BD7EB56310F14873DF14756661CA3AA881C751
                                                                                                                                                                                                                                                                                                                                                                                Function 006D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _memcmp
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2931989736-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 7df87ae49d766603cf6a19365a65cd6d9f1030a32d5bc69e109d775fbe36b23f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9c42e6554a52075350f9fe4fb24d8afaf7adb4879f997c180c38f0434f5be617
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7df87ae49d766603cf6a19365a65cd6d9f1030a32d5bc69e109d775fbe36b23f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78213AA1E40A09F7E61456208DA2FFB33AFAF11384F640026FD065EF81FB24ED1181A8
                                                                                                                                                                                                                                                                                                                                                                                Function 006F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-572801152
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d573bef8f70802607051df11d930243a3d7fcc35a8fa02de7cc7dee318bf457b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 71a0a4d318dd0594008c0298ac2c4c7607c3ed9f5874e6f9424cdcab5b8d76f8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d573bef8f70802607051df11d930243a3d7fcc35a8fa02de7cc7dee318bf457b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5AD18071A0060AAFDB14DF98C881BFEB7B6BF48344F148169EA16AB281E771DD45CB50
                                                                                                                                                                                                                                                                                                                                                                                Function 006B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006B17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006B15CE
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006B1651
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006B17FB,?,006B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006B16E4
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006B16FB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A3820: RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006B1777
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 006B17A2
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 006B17AE
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2829977744-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fbda61ab4bf939caf0dbc5d51a61adcd8fb8a223ebdb97ea10148ecbd8e86301
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ab08c8e059c0d446a027033824565beb3ada17191038664e6749f4d833db0e0f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbda61ab4bf939caf0dbc5d51a61adcd8fb8a223ebdb97ea10148ecbd8e86301
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B91A7F2E10216BADF219F64C861AEE7BB79F46310F944669E801EF241DB35DD81CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 006F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2610073882-625585964
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eb5b58a5e639c9bbfabcade2d139f68bf11a1afe5b29a25bcd5a382aa0e2ba95
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ccafdae2eaa156d9244f70069079c10319f6425691eccd07fed930571519d92a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eb5b58a5e639c9bbfabcade2d139f68bf11a1afe5b29a25bcd5a382aa0e2ba95
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3919171A00219ABDF24DFA5C884FEF7BBAEF45710F108559F605AB280DB709941CFA0
                                                                                                                                                                                                                                                                                                                                                                                Function 006E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 006E125C
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 006E1284
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006E12A8
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006E12D8
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006E135F
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006E13C4
                                                                                                                                                                                                                                                                                                                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006E1430
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2550207440-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 71ab7a8430dc912d2d8ad2649d5811963b5499300878af567420c331077451ea
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ee3364e34539cad95b8ae3c80cd2547d54f0e75e349922a3cbed448b5a3df7cd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 71ab7a8430dc912d2d8ad2649d5811963b5499300878af567420c331077451ea
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC91CE71A013499FDB019FA5C884BFEB7B6FF46314F148129EA00EB291D774A981DB94
                                                                                                                                                                                                                                                                                                                                                                                Function 0068948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3225163088-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8591dfef9a5a902f2cab8b6d58c38f83a6a6b79bed83c862ad59c1bc14455917
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dc2012e2870f37fbf3d9463bcf97227a1db985ade4a88fc053a53e675483b50e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8591dfef9a5a902f2cab8b6d58c38f83a6a6b79bed83c862ad59c1bc14455917
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7912871900219EFCB11DFA9CC84AEEBBB9FF49320F148259E515B7251D778AA42CF60
                                                                                                                                                                                                                                                                                                                                                                                Function 006F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 006F396B
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 006F3A7A
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006F3A8A
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006F3C1F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006E0CDF: VariantInit.OLEAUT32(00000000), ref: 006E0D1F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006E0CDF: VariantCopy.OLEAUT32(?,?), ref: 006E0D28
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006E0CDF: VariantClear.OLEAUT32(?), ref: 006E0D34
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4137639002-1221869570
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 09d029520b9676b6ffda207fd80c6d6ef13cb587d46bb0f426436f551a33c1b1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5a028cc8bece9984f7a8d3b7f64f13a1693ac79d1b269c990f76979706ca671d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 09d029520b9676b6ffda207fd80c6d6ef13cb587d46bb0f426436f551a33c1b1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A919A746083059FC744EF24C49186AB7E6FF88314F14892DF98A9B351DB31EE46CB96
                                                                                                                                                                                                                                                                                                                                                                                Function 006F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?,?,006D035E), ref: 006D002B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0046
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0054
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?), ref: 006D0064
                                                                                                                                                                                                                                                                                                                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 006F4C51
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006F4D59
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 006F4DCF
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(?), ref: 006F4DDA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                • String ID: NULL Pointer assignment
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 614568839-2785691316
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bc0f47f79175b9ea75e6bd5d76fc8e258bee3a4f75774733753b778523d4fa87
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ab5772f8b430c3d32abf7a4a95d494ba78dbc0cd82398f652e193c267042c56a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc0f47f79175b9ea75e6bd5d76fc8e258bee3a4f75774733753b778523d4fa87
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12912971D0021DEFDF14DFA4C891AEEB7BABF48310F10816AE519A7251EB345A45CFA4
                                                                                                                                                                                                                                                                                                                                                                                Function 007020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenu.USER32(?), ref: 00702183
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemCount.USER32(00000000), ref: 007021B5
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007021DD
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 00702213
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemID.USER32(?,?), ref: 0070224D
                                                                                                                                                                                                                                                                                                                                                                                • GetSubMenu.USER32(?,?), ref: 0070225B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D3A57
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: GetCurrentThreadId.KERNEL32 ref: 006D3A5E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006D25B3), ref: 006D3A65
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007022E3
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DE97B: Sleep.KERNEL32 ref: 006DE9F3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4196846111-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: af8f4eec42fd98d843a11b01ff116707d183b847f3f7942bd5c6f4b710012212
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9c9a81992fed742fddc66f718af10f91ba5d456708ba18accb8b395fc1e3456c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: af8f4eec42fd98d843a11b01ff116707d183b847f3f7942bd5c6f4b710012212
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8717376E00205EFCB51DFA4C845AAEB7F5FF48310F158559E816EB392DB38AD428B90
                                                                                                                                                                                                                                                                                                                                                                                Function 006DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32(?), ref: 006DAEF9
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?), ref: 006DAF0E
                                                                                                                                                                                                                                                                                                                                                                                • SetKeyboardState.USER32(?), ref: 006DAF6F
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 006DAF9D
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 006DAFBC
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 006DAFFD
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006DB020
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 87235514-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 043af0cb1be4700f9fe427f778701e8547483125b6af02a8bf9c2a297f7fabc5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2b0489891ab7864c9d52ffbce37fd8ca7648c4fd1601cba0003b2506cd738a61
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 043af0cb1be4700f9fe427f778701e8547483125b6af02a8bf9c2a297f7fabc5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A51E1A1E083D17DFB3643748845BFBBEAA5B06304F08858AE1D985AC2C399A9C8D751
                                                                                                                                                                                                                                                                                                                                                                                Function 006DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetParent.USER32(00000000), ref: 006DAD19
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?), ref: 006DAD2E
                                                                                                                                                                                                                                                                                                                                                                                • SetKeyboardState.USER32(?), ref: 006DAD8F
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006DADBB
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006DADD8
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006DAE17
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006DAE38
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 87235514-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c54d3b21f73a98c052cdd55a403d0c1d1d514e8f54e158fe3b728a14135bdf79
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 218ac6f0fbc4ace1fb4c08258d0be01ac91a568c254b1f1694179c89aa322723
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c54d3b21f73a98c052cdd55a403d0c1d1d514e8f54e158fe3b728a14135bdf79
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1651C4B1D087D53DFB3243A48C55BBA7FAB5F46300F08858AE1D546B82C694EC84E766
                                                                                                                                                                                                                                                                                                                                                                                Function 006A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetConsoleCP.KERNEL32(006B3CD6,?,?,?,?,?,?,?,?,006A5BA3,?,?,006B3CD6,?,?), ref: 006A5470
                                                                                                                                                                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 006A54EB
                                                                                                                                                                                                                                                                                                                                                                                • __fassign.LIBCMT ref: 006A5506
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,006B3CD6,00000005,00000000,00000000), ref: 006A552C
                                                                                                                                                                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,006B3CD6,00000000,006A5BA3,00000000,?,?,?,?,?,?,?,?,?,006A5BA3,?), ref: 006A554B
                                                                                                                                                                                                                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,006A5BA3,00000000,?,?,?,?,?,?,?,?,?,006A5BA3,?), ref: 006A5584
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1324828854-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 016ac131edd1c08c35bbdabb11c70abed8abf0a652261ceadfdb5cee7b8d7a2c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c5186868d9ee7a636b5210b62c84bf92ab4b83b227b928ce1e3f662060fbbecb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 016ac131edd1c08c35bbdabb11c70abed8abf0a652261ceadfdb5cee7b8d7a2c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 395191B0D006499FDB11DFA8D845AEEBBFAEF0A300F14415AE956E7291D730AE41CF64
                                                                                                                                                                                                                                                                                                                                                                                Function 00706B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00706C33
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000EC,?), ref: 00706C4A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00706C73
                                                                                                                                                                                                                                                                                                                                                                                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,006EAB79,00000000,00000000), ref: 00706C98
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00706CC7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Long$MessageSendShow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3688381893-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 83f1d204c93dcf4e4fc8bbb59bc351b561ec035aacc26d822ed35569f97f36f1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: da1f02c41126808fc14f8207b385c3d361aa3f84185dc72472ee53023e2dc872
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83f1d204c93dcf4e4fc8bbb59bc351b561ec035aacc26d822ed35569f97f36f1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0641C175A00104EFE725DF28CC68FAA7BE5EB09350F154368E895A72E0C779BD61CA60
                                                                                                                                                                                                                                                                                                                                                                                Function 006F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006F307A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006F304E: _wcslen.LIBCMT ref: 006F309B
                                                                                                                                                                                                                                                                                                                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006F1112
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F1121
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F11C9
                                                                                                                                                                                                                                                                                                                                                                                • closesocket.WSOCK32(00000000), ref: 006F11F9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2675159561-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 29746eddab90c23ffdfeee4bad7dbda2359ce4604650bcb88c4de17ffcd5db65
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 651cef68260162f32d1c9dbc8b9e0b2d87867c891ab678f505f7b37e079a4987
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 29746eddab90c23ffdfeee4bad7dbda2359ce4604650bcb88c4de17ffcd5db65
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A41D331600208EFDB10DF24C844BB9B7AAEF46368F14C159FA199F391CB74AD41CBA5
                                                                                                                                                                                                                                                                                                                                                                                Function 006DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006DCF22,?), ref: 006DDDFD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006DCF22,?), ref: 006DDE16
                                                                                                                                                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 006DCF45
                                                                                                                                                                                                                                                                                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 006DCF7F
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006DD005
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006DD01B
                                                                                                                                                                                                                                                                                                                                                                                • SHFileOperationW.SHELL32(?), ref: 006DD061
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3164238972-1173974218
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 92344721878f63803becc69f6bcdaccfc38704fe8057f9680be457b4b9d56be1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 97bdcb6724369ddac1b51a96835b40c2aa56c4e55b4509a83d3e5c7f9c7946f1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 92344721878f63803becc69f6bcdaccfc38704fe8057f9680be457b4b9d56be1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A414671D4521D9FDF52EBA4CD81EDDB7BAAF48340F1000EBE505EB241EA34A685CB54
                                                                                                                                                                                                                                                                                                                                                                                Function 006D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D7769
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D778F
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 006D7792
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 006D77B0
                                                                                                                                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32(?), ref: 006D77B9
                                                                                                                                                                                                                                                                                                                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 006D77DE
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 006D77EC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3761583154-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cba25b1dc32c1e720db3ef0901c5b457d419fb2b2cbb10a3ad2666440f33412c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 425391c5ff01bef7c846609a36971bbdce046f4215e3a3ae972892aea3272c02
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cba25b1dc32c1e720db3ef0901c5b457d419fb2b2cbb10a3ad2666440f33412c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1021B576A04219AFDB10DFA8CC88CFB77ADFB093647008626F904DB390EA74DC418765
                                                                                                                                                                                                                                                                                                                                                                                Function 006D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D7842
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D7868
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 006D786B
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32 ref: 006D788C
                                                                                                                                                                                                                                                                                                                                                                                • SysFreeString.OLEAUT32 ref: 006D7895
                                                                                                                                                                                                                                                                                                                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 006D78AF
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(?), ref: 006D78BD
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3761583154-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 44ee4845ceea7f775ab54987168932963a8ffa769ce5508046ee15da51ddb161
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e434b4a86a5bfda965b90659265c98dbe2e51124cb0544ddd6acedb42984ed83
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 44ee4845ceea7f775ab54987168932963a8ffa769ce5508046ee15da51ddb161
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5216271A04104AFDB10AFA8DC8DDAA77ADFB097607108236F915CB3A1EA74DC41DB69
                                                                                                                                                                                                                                                                                                                                                                                Function 00705706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00705745
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 0070579D
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 007057AF
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 007057BA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00705816
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 763830540-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9c269a9dbf1518313f376ef657f4b6feb776e5cee8c9c5598d04d443ab57606e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2b27743cd3c9c22b9b0c1c28b3e4f5099d1e1215df5075ae900ce6ee771f94ce
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c269a9dbf1518313f376ef657f4b6feb776e5cee8c9c5598d04d443ab57606e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 98218F75904618EADB209FA0CC84EEE77BCFF04320F108356F929AA1C0E7789985CF54
                                                                                                                                                                                                                                                                                                                                                                                Function 006E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 006E04F2
                                                                                                                                                                                                                                                                                                                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006E052E
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateHandlePipe
                                                                                                                                                                                                                                                                                                                                                                                • String ID: nul
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 144ea9f116a60e5478c443dea72d9b07f926be5e622533d9e817849a9e51efb5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e14574a9fba22bd092472241783d43391e149fa9a6d9df02a37f0164bc7ac107
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 144ea9f116a60e5478c443dea72d9b07f926be5e622533d9e817849a9e51efb5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D22171B5501345EFEB209F2ADD44A9A77B5BF45724F608A19F8A1D72E0D7B0D980CF20
                                                                                                                                                                                                                                                                                                                                                                                Function 006E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 006E05C6
                                                                                                                                                                                                                                                                                                                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006E0601
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateHandlePipe
                                                                                                                                                                                                                                                                                                                                                                                • String ID: nul
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4c93b143a92ec3a732fac788a834d03dba4972aa0c5536c1f4251bd4c4c34d1f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 12b89ac456c36b0bfe59ce2e0efb3d7852655cc4762fb695ec8371236c67dfbf
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c93b143a92ec3a732fac788a834d03dba4972aa0c5536c1f4251bd4c4c34d1f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA21A175501345EBEB208F6A9C04B9A77E5BF85720F204B19F8A1E32E0DBF098A1CB14
                                                                                                                                                                                                                                                                                                                                                                                Function 007040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0067600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0067604C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0067600E: GetStockObject.GDI32(00000011), ref: 00676060
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0067600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0067606A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00704112
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0070411F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0070412A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00704139
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00704145
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Msctls_Progress32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1025951953-3636473452
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e6825231cefd151e5008d72f1bca5bb07ee54e1551d64f1ab2b4a448b4458a75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7f5853f06ab22ebde8b485ac2a9c3db848af54572bb50d62699d60477ea7a71e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e6825231cefd151e5008d72f1bca5bb07ee54e1551d64f1ab2b4a448b4458a75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A11B6B215011DBEEF119F64CC85EE77F9DEF08798F004211B718A2090CB769C61DBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006AD7A3: _free.LIBCMT ref: 006AD7CC
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD82D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD838
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD843
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD897
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD8A2
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD8AD
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD8B8
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a64499e1e086aba0b0841a00f6f938f4c1c42f1387912513222f46eea773221f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC115171580B04AAD5A1BFB1CC47FCB7BDE6F02B00F40082DB29AA68A2DA65FD054E55
                                                                                                                                                                                                                                                                                                                                                                                Function 006DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006DDA74
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000), ref: 006DDA7B
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006DDA91
                                                                                                                                                                                                                                                                                                                                                                                • LoadStringW.USER32(00000000), ref: 006DDA98
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006DDADC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 006DDAB9
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HandleLoadModuleString$Message
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4072794657-3128320259
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a0169f0420ee0beefbaaea15fdd0a99841e8abfef74d5ce5207f3b2a2985e9d4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b6c12f62774040c66ffb1e3685be5e9f31ad69b6a6eab6131c83b6a59b332128
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0169f0420ee0beefbaaea15fdd0a99841e8abfef74d5ce5207f3b2a2985e9d4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 88018BF6900208BFF711A7A4DD89EE7336CD704701F448656B706E2181EA789E844F74
                                                                                                                                                                                                                                                                                                                                                                                Function 006E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InterlockedExchange.KERNEL32(013EE058,013EE058), ref: 006E097B
                                                                                                                                                                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32(013EE038,00000000), ref: 006E098D
                                                                                                                                                                                                                                                                                                                                                                                • TerminateThread.KERNEL32(?,000001F6), ref: 006E099B
                                                                                                                                                                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000003E8), ref: 006E09A9
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 006E09B8
                                                                                                                                                                                                                                                                                                                                                                                • InterlockedExchange.KERNEL32(013EE058,000001F6), ref: 006E09C8
                                                                                                                                                                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32(013EE038), ref: 006E09CF
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3495660284-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d30b6f619768579eae440c1a6b2b0b7855e4de60e22e75754e32e9f3373d763b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: aeebc7be031bc00582d031b2e7e390bc6d61db46df9f2deccaafb9de2d0c33af
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d30b6f619768579eae440c1a6b2b0b7855e4de60e22e75754e32e9f3373d763b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DDF0C932442A12EBE7525FA4EE89AD6BA29BF05702F406325F20294CA1CB799465CF94
                                                                                                                                                                                                                                                                                                                                                                                Function 006A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __allrem.LIBCMT ref: 006A00BA
                                                                                                                                                                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A00D6
                                                                                                                                                                                                                                                                                                                                                                                • __allrem.LIBCMT ref: 006A00ED
                                                                                                                                                                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A010B
                                                                                                                                                                                                                                                                                                                                                                                • __allrem.LIBCMT ref: 006A0122
                                                                                                                                                                                                                                                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A0140
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1992179935-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5828684f617a31139c901ac88bc7c8be95be4c906c107b71ee5772108c0cf703
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2981C372A00B06ABEB20AF68CC41BAA73EAAF42324F25452EF551D6781E770DD418F54
                                                                                                                                                                                                                                                                                                                                                                                Function 006A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006982D9,006982D9,?,?,?,006A644F,00000001,00000001,8BE85006), ref: 006A6258
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006A644F,00000001,00000001,8BE85006,?,?,?), ref: 006A62DE
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006A63D8
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 006A63E5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A3820: RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 006A63EE
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 006A6413
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1414292761-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2092e0d47b353e31aa50229d1b38e31ea126135257bdc84f72e9705fe9c7585c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9b79756a7182eb07860e8c6135a8e6feb4c502ba6e6caa75dd6735b809b9a1cb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2092e0d47b353e31aa50229d1b38e31ea126135257bdc84f72e9705fe9c7585c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7151B3B2600216ABDF25AF64CC81EEF77ABEF46750F194629FC05D6240DB34DD41CA60
                                                                                                                                                                                                                                                                                                                                                                                Function 006CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(00000035), ref: 006CF7B9
                                                                                                                                                                                                                                                                                                                                                                                • SysAllocString.OLEAUT32(00000001), ref: 006CF860
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopy.OLEAUT32(006CFA64,00000000), ref: 006CF889
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(006CFA64), ref: 006CF8AD
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopy.OLEAUT32(006CFA64,00000000), ref: 006CF8B1
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006CF8BB
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3859894641-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: acefc75e73d9b859c18abb9c21a17c33b351df69d79dbc31cd160104ec8454d8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f15c8eccec6638d31e41447a5bb8febbda03871b044d0f847855cad2f7024dfb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: acefc75e73d9b859c18abb9c21a17c33b351df69d79dbc31cd160104ec8454d8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A51B131A01310ABCF64AB65D895F79B3E7EF45710B20946EF906DF291DB708C41CBAA
                                                                                                                                                                                                                                                                                                                                                                                Function 006E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00677620: _wcslen.LIBCMT ref: 00677625
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 006E94E5
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E9506
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E952D
                                                                                                                                                                                                                                                                                                                                                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 006E9585
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$FileName$OpenSave
                                                                                                                                                                                                                                                                                                                                                                                • String ID: X
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 83654149-3081909835
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 93aaed683f349b8b8f60dde44074a3bbd2f7350f122355bfdf63d34df86d57bc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ac10117f35e401a395bd90b94a47c4b1a303f48970a4628c3b3ab987c64d9954
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93aaed683f349b8b8f60dde44074a3bbd2f7350f122355bfdf63d34df86d57bc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8E1C231504340DFD764DF25C881AAAB7E6BF84314F04896DF8899B3A2EB31DD05CBA6
                                                                                                                                                                                                                                                                                                                                                                                Function 0068920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                • BeginPaint.USER32(?,?,?), ref: 00689241
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 006892A5
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 006892C2
                                                                                                                                                                                                                                                                                                                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006892D3
                                                                                                                                                                                                                                                                                                                                                                                • EndPaint.USER32(?,?,?,?,?), ref: 00689321
                                                                                                                                                                                                                                                                                                                                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006C71EA
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689339: BeginPath.GDI32(00000000), ref: 00689357
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3050599898-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e653bf4c44fb3c0b228f06d7fb8794addfedd94565c081956bf318b149c63b63
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 120e66054e95306fd7e4edd5b85d30fdd7f2330b4bba4cbdbd001fa2c5b2994b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e653bf4c44fb3c0b228f06d7fb8794addfedd94565c081956bf318b149c63b63
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F419E70104200EFD721EF24DC94FBA7BAAEB46320F18436DF9A5872E1C775A845DB66
                                                                                                                                                                                                                                                                                                                                                                                Function 006E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 006E080C
                                                                                                                                                                                                                                                                                                                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 006E0847
                                                                                                                                                                                                                                                                                                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 006E0863
                                                                                                                                                                                                                                                                                                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 006E08DC
                                                                                                                                                                                                                                                                                                                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006E08F3
                                                                                                                                                                                                                                                                                                                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 006E0921
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3368777196-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9a69b1cf2f353634b6414526deb478d55a857ab1e4dafb340c61054f6ba87680
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 133d3a4e94090ddc0b104ac0dd7677956038edb6fa4abe4f83777ce3dcfd191a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a69b1cf2f353634b6414526deb478d55a857ab1e4dafb340c61054f6ba87680
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 37419E71900205EFEF15AF54DC85AAA777AFF44300F1081A9ED009E297DB74DE61CBA8
                                                                                                                                                                                                                                                                                                                                                                                Function 006E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00673AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00673A97,?,?,00672E7F,?,?,?,00000000), ref: 00673AC2
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006E587B
                                                                                                                                                                                                                                                                                                                                                                                • CoInitialize.OLE32(00000000), ref: 006E5995
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(0070FCF8,00000000,00000001,0070FB68,?), ref: 006E59AE
                                                                                                                                                                                                                                                                                                                                                                                • CoUninitialize.OLE32 ref: 006E59CC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: .lnk
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3172280962-24824748
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a785d50f323c49731ba2084641c430b7c6d3608580ac4c7669864164583ed6e2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 42487fa8fe76c7f85f6837b512aa28aa093f5921dcdb3a4329619e682e1d93f2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a785d50f323c49731ba2084641c430b7c6d3608580ac4c7669864164583ed6e2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C7D17370604741DFC714DF25C480A6ABBE2EF89718F14895DF88A9B362DB31EC05CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 006D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006D0FCA
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006D0FD6
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006D0FE5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006D0FEC
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006D1002
                                                                                                                                                                                                                                                                                                                                                                                • GetLengthSid.ADVAPI32(?,00000000,006D1335), ref: 006D17AE
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 006D17BA
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 006D17C1
                                                                                                                                                                                                                                                                                                                                                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 006D17DA
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,006D1335), ref: 006D17EE
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D17F5
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3008561057-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b9dcb413e0d4c92d5187e8620e4ff579e4a78c0f4039adb224d899544ba87709
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 784988f58872da0338934fbb307865636d7e6223d087657cadda0fc252b2d0ac
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9dcb413e0d4c92d5187e8620e4ff579e4a78c0f4039adb224d899544ba87709
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9F116A71A01205FBDB119FA4CC49BEE7BBAEB46355F10821AF441DB320DB79AA44CB64
                                                                                                                                                                                                                                                                                                                                                                                Function 006D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006D14FF
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 006D1506
                                                                                                                                                                                                                                                                                                                                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006D1515
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000004), ref: 006D1520
                                                                                                                                                                                                                                                                                                                                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006D154F
                                                                                                                                                                                                                                                                                                                                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 006D1563
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1413079979-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eea657ebebba06c2a014cdbdf12f944852bf14d757f96c5a897fd7675ccbf5ca
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 012fa11f10b857b856997d639b704e8b743e6078dc57626953a1e304c3c1375e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eea657ebebba06c2a014cdbdf12f944852bf14d757f96c5a897fd7675ccbf5ca
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36115E7250020DFBDF12CF94DD49BDE7BAAEF45704F048215FA05A6260C7B58E60DB61
                                                                                                                                                                                                                                                                                                                                                                                Function 00693382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,00693379,00692FE5), ref: 00693390
                                                                                                                                                                                                                                                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0069339E
                                                                                                                                                                                                                                                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006933B7
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,00693379,00692FE5), ref: 00693409
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ffaaa5470d73f039702597201237c1d40e112aa47c611a594e393a2df85ed454
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 067a3a409bb4af13224c88f4bc4db8829fe5d26c2bb4b1b3c1d6cde4ad006e2d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ffaaa5470d73f039702597201237c1d40e112aa47c611a594e393a2df85ed454
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4801F13224D331AEEF2A27746C859A62A9EEB1577A320832DF41094BF0EF114D02564C
                                                                                                                                                                                                                                                                                                                                                                                Function 006A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,006A5686,006B3CD6,?,00000000,?,006A5B6A,?,?,?,?,?,0069E6D1,?,00738A48), ref: 006A2D78
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2DAB
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2DD3
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,?,?,0069E6D1,?,00738A48,00000010,00674F4A,?,?,00000000,006B3CD6), ref: 006A2DE0
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,?,?,0069E6D1,?,00738A48,00000010,00674F4A,?,?,00000000,006B3CD6), ref: 006A2DEC
                                                                                                                                                                                                                                                                                                                                                                                • _abort.LIBCMT ref: 006A2DF2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9c40227c4aa448c772406e30ade126ca1923424abc5718f10a86fa4fe1637068
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e5c1febdbff7850fbc65bf89f893fd88296aad586d970beea1eb4a065565e5b4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c40227c4aa448c772406e30ade126ca1923424abc5718f10a86fa4fe1637068
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BCF0F93158450267C263333D7C26B5B1657AFC3B61B20421CF424922D3EF289C015D69
                                                                                                                                                                                                                                                                                                                                                                                Function 00708A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00689693
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689639: SelectObject.GDI32(?,00000000), ref: 006896A2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689639: BeginPath.GDI32(?), ref: 006896B9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689639: SelectObject.GDI32(?,00000000), ref: 006896E2
                                                                                                                                                                                                                                                                                                                                                                                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00708A4E
                                                                                                                                                                                                                                                                                                                                                                                • LineTo.GDI32(?,00000003,00000000), ref: 00708A62
                                                                                                                                                                                                                                                                                                                                                                                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00708A70
                                                                                                                                                                                                                                                                                                                                                                                • LineTo.GDI32(?,00000000,00000003), ref: 00708A80
                                                                                                                                                                                                                                                                                                                                                                                • EndPath.GDI32(?), ref: 00708A90
                                                                                                                                                                                                                                                                                                                                                                                • StrokePath.GDI32(?), ref: 00708AA0
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 43455801-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e26f03811dd2ff1cd3caa7c74a1f032b8159b5dea076738becdca903162c5bc6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 43f4fedd53da0435edc8d7f37495a298163fa564be564de37f7fdb59cb4d4faf
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e26f03811dd2ff1cd3caa7c74a1f032b8159b5dea076738becdca903162c5bc6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8110C7600014CFFEB129F90DC88EAA7F6DEB04354F04C212FA15991A1DB759D55DBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 006D5218
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 006D5229
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006D5230
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 006D5238
                                                                                                                                                                                                                                                                                                                                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 006D524F
                                                                                                                                                                                                                                                                                                                                                                                • MulDiv.KERNEL32(000009EC,00000001,?), ref: 006D5261
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CapsDevice$Release
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1035833867-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c24421a448a5c3e30adde19dda441d42fa71fa07b84a8d4525a33095126b5650
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a383e1a1da75fdd0b9e6695c9e13b488bafb6607fed43b19a9d9553399923793
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c24421a448a5c3e30adde19dda441d42fa71fa07b84a8d4525a33095126b5650
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8018F75E00708FBEB119BA59C49F5EBFB9EB48351F048166FA05A7380DA709904CBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006DEB30
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006DEB46
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 006DEB55
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006DEB64
                                                                                                                                                                                                                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006DEB6E
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006DEB75
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 839392675-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fe31608b93825c3ce8605206191cec97484a0dd2540c3722f10a83bc74a9138f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2bdc17870ef43912a552c3e11c1d88777a7b7c11cec8d28298bf3c9362a5657b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fe31608b93825c3ce8605206191cec97484a0dd2540c3722f10a83bc74a9138f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41F09072500118FBE72257529C0EEEF3A7CEFCAB11F008359F601D1190DBA51A01C6B9
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006D187F
                                                                                                                                                                                                                                                                                                                                                                                • UnloadUserProfile.USERENV(?,?), ref: 006D188B
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 006D1894
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 006D189C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 006D18A5
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D18AC
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 146765662-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a951dc62f2c020cb168e4c5bf49b61e4aa9f7e6b89f87abff213c899cb1ea33c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c5c0785664a5739c708fafbd5812f959e97522910d96d9287638a772c05dab1e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a951dc62f2c020cb168e4c5bf49b61e4aa9f7e6b89f87abff213c899cb1ea33c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74E0C276004105FBDA025BA1ED0C90ABB39FB49B22B10C320F225810B0CF369820DB98
                                                                                                                                                                                                                                                                                                                                                                                Function 0067BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 0067BEB3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: D%t$D%t$D%t$D%tD%t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-535996708
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8354cb22951db66f1d0b49bba5f8906c64206985b804a661a601106f04ddc14f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 27e6ae4f684b36ddf0c40748186e0c2c53a911560dc711845b9ef400cf0c0594
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8354cb22951db66f1d0b49bba5f8906c64206985b804a661a601106f04ddc14f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C8913B75A0020ADFCB14CF58C0906AAB7F2FF58314F64D16AE949AB351E731A992CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 006F7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00690242: EnterCriticalSection.KERNEL32(0074070C,00741884,?,?,0068198B,00742518,?,?,?,006712F9,00000000), ref: 0069024D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00690242: LeaveCriticalSection.KERNEL32(0074070C,?,0068198B,00742518,?,?,?,006712F9,00000000), ref: 0069028A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900A3: __onexit.LIBCMT ref: 006900A9
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 006F7BFB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006901F8: EnterCriticalSection.KERNEL32(0074070C,?,?,00688747,00742514), ref: 00690202
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006901F8: LeaveCriticalSection.KERNEL32(0074070C,?,00688747,00742514), ref: 00690235
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: +Tl$5$G$Variable must be of type 'Object'.
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 535116098-841633982
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e6240296f8f8a9401b9a01d6b9a53e257c6cfe0027746188e2cdd136beae75b2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8e4d9193399a2afd1df0c648d70784ad4c89f8c758cf2d938790f46decacf5a2
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e6240296f8f8a9401b9a01d6b9a53e257c6cfe0027746188e2cdd136beae75b2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E916874A04209EFCB04EF94D8919FDB7B2AF49300F50815DFA06AB3A2DB71AE41CB55
                                                                                                                                                                                                                                                                                                                                                                                Function 006DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00677620: _wcslen.LIBCMT ref: 00677625
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006DC6EE
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006DC735
                                                                                                                                                                                                                                                                                                                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006DC79C
                                                                                                                                                                                                                                                                                                                                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006DC7CA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1227352736-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6ba7bf1e26502e3c5a51eced2d791f309506c21b400f561f8acd0007ec1fdb4b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 47b7ef66369fc331b1c14820ca7ee2c3cf7f91f99edf1e7644ed6481a14c2c39
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6ba7bf1e26502e3c5a51eced2d791f309506c21b400f561f8acd0007ec1fdb4b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF510371A043469BD754EF28C884BAB77EAAF89320F040A2EF995D33D0DB74D844CB56
                                                                                                                                                                                                                                                                                                                                                                                Function 006FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ShellExecuteExW.SHELL32(0000003C), ref: 006FAEA3
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00677620: _wcslen.LIBCMT ref: 00677625
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessId.KERNEL32(00000000), ref: 006FAF38
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 006FAF67
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: <$@
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 146682121-1426351568
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 42a709a68ce01052ff161f748f9565fef42a8c35b3fff7303e877c375928b712
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1a62866bececd0f80fc95c04c55d45aa1355ed97e3a0882c04a037b0854d308b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 42a709a68ce01052ff161f748f9565fef42a8c35b3fff7303e877c375928b712
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40715B71A00219DFCB14DF94C485AAEBBF2BF08314F14849DE95AAB362CB74ED41CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 00706278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 007062E2
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(?,?), ref: 00706315
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00706382
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3880355969-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f7cbfe4f9d93287f5b6493a6c3d5b072de9aed0475a1a38baba912aaec684edc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 994b7bb773e5bbaaac496766a0cd174d93538346fc15bee23dc941e10437617e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f7cbfe4f9d93287f5b6493a6c3d5b072de9aed0475a1a38baba912aaec684edc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA512A75900249EFDF20DF54D890AAE7BF6FB45360F108259F915972D0D734AD91CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 006D2716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006D21D0,?,?,00000034,00000800,?,00000034), ref: 006DB42D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006D2760
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 006DB3F8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 006DB355
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006D2194,00000034,?,?,00001004,00000000,00000000), ref: 006DB365
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006D2194,00000034,?,?,00001004,00000000,00000000), ref: 006DB37B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006D27CD
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006D281A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @$@U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4150878124-826235744
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9d0968765f3cdbb2a872a0bd396bf803fb5d3775ee298d25faaa6cb602158978
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d37992d2b03a2f28155a0d984b076cd900de0fdae46f2b822658bdae49946043
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9d0968765f3cdbb2a872a0bd396bf803fb5d3775ee298d25faaa6cb602158978
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6414F72D00218AFDB10DBA4CC51EEEBBB9EF15300F00509AFA55B7281DB706E45DBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 006D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006D7206
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006D723C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006D724D
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006D72CF
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: DllGetClassObject
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 753597075-1075368562
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b18cd1176def773b0fc40ac837dc35cd2252163fff3c268689c37208bacd6a9f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cde84acddf40b3b800bbb2ab577c84919988c3e66f143a79ec8e3864d3cfb622
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b18cd1176def773b0fc40ac837dc35cd2252163fff3c268689c37208bacd6a9f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D34181B1A04204EFDB15CF54C884A9A7BAAEF44310F1481AEFD059F34AE7B4DA45CBA1
                                                                                                                                                                                                                                                                                                                                                                                Function 007052C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00705352
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00705375
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00705382
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007053A8
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3340791633-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 31a043048122f1d76eb392201ad9ba365ed50096284ec00a0c54dddc4d6f3639
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: cc00dbfaf580c3bf8d9201a6bb1c1e53c4e83ab052fa63496b8ace4355b2d9cb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 31a043048122f1d76eb392201ad9ba365ed50096284ec00a0c54dddc4d6f3639
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F631C634A55A08EFEB309F14CC06BEAF7E5AB05394F584301FA10961E1C7BDA980DF55
                                                                                                                                                                                                                                                                                                                                                                                Function 006FC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 176396367-4004644295
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e8c546b488ce723f3be08ebbc8496deb173f90316a387f5ebf1cf14b219809fe
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d1ba7414d1791eefe29aa67a682d6efc7bf9706d16501f04baae8b06f2064dd0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8c546b488ce723f3be08ebbc8496deb173f90316a387f5ebf1cf14b219809fe
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6312873A0016D8BCB30DF2D8A514FE33935BA1760F154029ED45AB345EA71ED40D3A0
                                                                                                                                                                                                                                                                                                                                                                                Function 00702F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00702F8D
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryW.KERNEL32(?), ref: 00702F94
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00702FA9
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?), ref: 00702FB1
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SysAnimate32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3529120543-1011021900
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fc54cb31c161be0095dda59ed7be3cbe59d25fe8c7a258da8dc08c1283245a10
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b3d02ee2dd0417b003c9b82952fb87693e616c732b1e4c922e11954e870060af
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc54cb31c161be0095dda59ed7be3cbe59d25fe8c7a258da8dc08c1283245a10
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9F21BE72200206EBEB115F64DC48EBB77F9EB593A4F104718F910920E1C779EC429760
                                                                                                                                                                                                                                                                                                                                                                                Function 00705660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001060,?,00000004), ref: 007056BB
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 007056CD
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 007056D8
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00705816
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 455545452-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 933b60243ecd73e250db87a63e9ad1eac5d49c660b822dc81f8cd053e659b527
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f65747736b150b5766ff8b647e7ce7734d5db30d701bc40286a274dc2b99c738
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 933b60243ecd73e250db87a63e9ad1eac5d49c660b822dc81f8cd053e659b527
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6711BE75A00608E6DF209F61CC85EEF77ECEF11760B50826AF915D60C1EBB89A81CF64
                                                                                                                                                                                                                                                                                                                                                                                Function 0067600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0067604C
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000011), ref: 00676060
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0067606A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3970641297-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f1d4db99044eecd27bf5c43de2856d31300ffacb1c34186c7da92455a13385ed
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ea9789bc735574af0e62fc9905b24d6bb1e4f977dee87f07c9e414fd3aa5710b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1d4db99044eecd27bf5c43de2856d31300ffacb1c34186c7da92455a13385ed
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B511A172101908FFEF125F94CD44EEA7B6AFF08364F008205FA0852110CB369C60DF90
                                                                                                                                                                                                                                                                                                                                                                                Function 00694D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00694D1E,006A28E9,?,00694CBE,006A28E9,007388B8,0000000C,00694E15,006A28E9,00000002), ref: 00694D8D
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00694DA0
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,00694D1E,006A28E9,?,00694CBE,006A28E9,007388B8,0000000C,00694E15,006A28E9,00000002,00000000), ref: 00694DC3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5403d0c4a607a27f459d73a536ad62066bb0f1cf51f0aff16972662e2e85aefb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f3419333c6cafe600decfdbb44184401b5e5f98341596a59bd61d97a57e01b37
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5403d0c4a607a27f459d73a536ad62066bb0f1cf51f0aff16972662e2e85aefb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6F0A434500208FBDF125F94DC09BEDBBB9EF04712F044294F805A2690DF785981CBD4
                                                                                                                                                                                                                                                                                                                                                                                Function 00674E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00674EDD,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E9C
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00674EAE
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00674EDD,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674EC0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 145871493-3689287502
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c9887d07969b6d1e62ddb634e5ea42d239e10fa92c74628b10e073ca4317a7db
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0249ce306348c0d6603e60f2f9e1fd9cd093dfc2229196575c1797833a4abe88
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9887d07969b6d1e62ddb634e5ea42d239e10fa92c74628b10e073ca4317a7db
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01E08676A01622DBD23317256C1CAAB6555AF81B72B058315FC04D2241DF68CD0180A4
                                                                                                                                                                                                                                                                                                                                                                                Function 00674E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,006B3CDE,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E62
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00674E74
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,006B3CDE,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E87
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 145871493-1355242751
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 83f0b41dab3f4fa1427622d50198f9b8b7c36b6c9ed502bd06c375e89840c1c6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 595221ff06e9a9cf671c12505fdd393fc52d049ebe353c8192ef9cf56c6a77c5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83f0b41dab3f4fa1427622d50198f9b8b7c36b6c9ed502bd06c375e89840c1c6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7D0C27250262197D6331B246C0CDCB2A1EEF85B213058310B808E2250CF68CD0182D4
                                                                                                                                                                                                                                                                                                                                                                                Function 006E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006E2C05
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?), ref: 006E2C87
                                                                                                                                                                                                                                                                                                                                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006E2C9D
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006E2CAE
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006E2CC0
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: File$Delete$Copy
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3226157194-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fe35f037d1a1d0e0e1cd19dd6a961f073ef646abb983641dc4f3cfa65ce44137
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bdb2b64b0d7e15ea012ad1e4e7da3dcd38e8021bffba57c44f6c5ab6310878b7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fe35f037d1a1d0e0e1cd19dd6a961f073ef646abb983641dc4f3cfa65ce44137
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D1B17F71D01219ABDF51DFA5CC95EDEB7BEEF48340F1040AAF609E7241EA309A448F65
                                                                                                                                                                                                                                                                                                                                                                                Function 006FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 006FA427
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006FA435
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 006FA468
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 006FA63D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3488606520-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 383ac20fcf43d71c3632fc07d213c7626996e13bbf4bd98e8cc61e68c3f3734a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 055da942f9e7b55de0ebd746c81dec0c13e6dd58df95c87d01b0ed7126a2a0fd
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 383ac20fcf43d71c3632fc07d213c7626996e13bbf4bd98e8cc61e68c3f3734a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E0A181B16043009FE760DF24C886F2AB7E6AF84714F14895DF559DB392DBB0EC418B96
                                                                                                                                                                                                                                                                                                                                                                                Function 006ABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00713700), ref: 006ABB91
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0074121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006ABC09
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00741270,000000FF,?,0000003F,00000000,?), ref: 006ABC36
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ABB7F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ABD4B
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1286116820-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f3a106d8b7132aaf526b7d346886266123af557b7787364749994df838d13751
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 732370b0b1a94a2ceaa3bbeb2deb616cf5c1cde86738ffbd784ff2ded3a33a29
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3a106d8b7132aaf526b7d346886266123af557b7787364749994df838d13751
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7C510871900209EFCB10FF659C819AEB7BAFF43320B10526EE411D7292EB749E818F58
                                                                                                                                                                                                                                                                                                                                                                                Function 006DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006DCF22,?), ref: 006DDDFD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006DCF22,?), ref: 006DDE16
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DE199: GetFileAttributesW.KERNEL32(?,006DCF95), ref: 006DE19A
                                                                                                                                                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 006DE473
                                                                                                                                                                                                                                                                                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 006DE4AC
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006DE5EB
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006DE603
                                                                                                                                                                                                                                                                                                                                                                                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 006DE650
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3183298772-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e308a58a90bc4894275aaee9c6ca5cf7023fef5a85df7c06bdf8186e62d53f55
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b2cf03a08b8956a4d595ee7323e97c2790993b0fabfa8cfe28c851ec602e8a34
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e308a58a90bc4894275aaee9c6ca5cf7023fef5a85df7c06bdf8186e62d53f55
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 445184B29083459BC764EB90DC819DF73EEAF84340F00491FF589D7251EF75A588876A
                                                                                                                                                                                                                                                                                                                                                                                Function 006FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006FB6AE,?,?), ref: 006FC9B5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FC9F1
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA68
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA9E
                                                                                                                                                                                                                                                                                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006FBAA5
                                                                                                                                                                                                                                                                                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006FBB00
                                                                                                                                                                                                                                                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006FBB63
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 006FBBA6
                                                                                                                                                                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 006FBBB3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 826366716-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a340e85c435c6c944d78cfa147a0b4c16a1f59dd59a90c5ff039fc949d476033
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c1e3abf91b8147c660d8ffa9dcfbac2f7d2b4c7154c80fcdb7a07024978f2a45
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a340e85c435c6c944d78cfa147a0b4c16a1f59dd59a90c5ff039fc949d476033
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8617C31208245AFD714DF14C891E7ABBE6FF84308F14999CF5998B2A2DB31ED45CB92
                                                                                                                                                                                                                                                                                                                                                                                Function 006D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • VariantInit.OLEAUT32(?), ref: 006D8BCD
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32 ref: 006D8C3E
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32 ref: 006D8C9D
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006D8D10
                                                                                                                                                                                                                                                                                                                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006D8D3B
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$Clear$ChangeInitType
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4136290138-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 8ed117dfaa6cd56f923234ad6c20304cd4d5d65759fb139f71bd5d7111e0ecfa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 420bac599c9e208299d8fffa15a29a8a379964d706c6b1db7e92eb172f757908
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ed117dfaa6cd56f923234ad6c20304cd4d5d65759fb139f71bd5d7111e0ecfa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56515CB5A00219EFCB14CF59C894AAAB7FAFF89310B15855AF905DB350E734E911CF90
                                                                                                                                                                                                                                                                                                                                                                                Function 006E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006E8BAE
                                                                                                                                                                                                                                                                                                                                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 006E8BDA
                                                                                                                                                                                                                                                                                                                                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006E8C32
                                                                                                                                                                                                                                                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006E8C57
                                                                                                                                                                                                                                                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006E8C5F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2832842796-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: dc4f7617c9c368c3a2a50e92fc0d40661e470314fa100a62acb75fb684a3fb3a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2bc96327ea08724d6645005153950d73d9ae586f16e0eaa6767dbde850ce565a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc4f7617c9c368c3a2a50e92fc0d40661e470314fa100a62acb75fb684a3fb3a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C515B35A002149FDB05DF65C881AADBBF2FF49314F18C098E809AB362CB35ED41CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 006F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryW.KERNEL32(?,00000000,?), ref: 006F8F40
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 006F8FD0
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 006F8FEC
                                                                                                                                                                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 006F9032
                                                                                                                                                                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 006F9052
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,006E1043,?,75B8E610), ref: 0068F6E6
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,006CFA64,00000000,00000000,?,?,006E1043,?,75B8E610,?,006CFA64), ref: 0068F70D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 666041331-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bdfe5459d1ff0bfbcc30aa5deab52e7f6f7314beb1a635b78fcbebb3ba265514
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9b4291502f4c9fa178d3d4d71208284d537956e7d2f4d2c61a28920d3bab7f9e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bdfe5459d1ff0bfbcc30aa5deab52e7f6f7314beb1a635b78fcbebb3ba265514
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00514834605209DFCB15DF58C4849ADBBF2FF49314B08C1A8E90A9B362DB31ED86CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 006A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a1ffe7c38bb6425ffda0414afd659e29e4e2957b0247edbe0b0068d68e986d2e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 93ed80413e6bf5e2696b2b737e515508600cbfd007d6ba2992475b540e7414eb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a1ffe7c38bb6425ffda0414afd659e29e4e2957b0247edbe0b0068d68e986d2e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FF41E472A40201AFCB24EF7CC890A9EB7E6EF8A714F1545A9E615EB351D631AD01CB80
                                                                                                                                                                                                                                                                                                                                                                                Function 0068912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00689141
                                                                                                                                                                                                                                                                                                                                                                                • ScreenToClient.USER32(00000000,?), ref: 0068915E
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(00000001), ref: 00689183
                                                                                                                                                                                                                                                                                                                                                                                • GetAsyncKeyState.USER32(00000002), ref: 0068919D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4210589936-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 376c658c9a3a1f32126495839a55feff738f6765081b432afe4bf29340b44fc4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: fa323a27960a579774580cb5765dd110c11296f5e103839344fffb018ecf2953
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 376c658c9a3a1f32126495839a55feff738f6765081b432afe4bf29340b44fc4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44415E31A0850AFBDF15AF64C848BFEB776FB05324F288319E465A22D0CB345951CF61
                                                                                                                                                                                                                                                                                                                                                                                Function 006E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetInputState.USER32 ref: 006E38CB
                                                                                                                                                                                                                                                                                                                                                                                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 006E3922
                                                                                                                                                                                                                                                                                                                                                                                • TranslateMessage.USER32(?), ref: 006E394B
                                                                                                                                                                                                                                                                                                                                                                                • DispatchMessageW.USER32(?), ref: 006E3955
                                                                                                                                                                                                                                                                                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E3966
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2256411358-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 26a01a69c573fd89d94eeeb0bb4a86d3249afb609f90754f754e412396d84abc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 03ad3e9f534c3544e592d74df42e691caff824fb60e957a7846cbe571977490c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26a01a69c573fd89d94eeeb0bb4a86d3249afb609f90754f754e412396d84abc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C31E8745063D19EEB35DB36980CBF637A9AB02300F44456EE462C7392F7F89685CB25
                                                                                                                                                                                                                                                                                                                                                                                Function 006ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,006EC21E,00000000), ref: 006ECF38
                                                                                                                                                                                                                                                                                                                                                                                • InternetReadFile.WININET(?,00000000,?,?), ref: 006ECF6F
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000,?,?,?,006EC21E,00000000), ref: 006ECFB4
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,006EC21E,00000000), ref: 006ECFC8
                                                                                                                                                                                                                                                                                                                                                                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,006EC21E,00000000), ref: 006ECFF2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3191363074-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: daad136dea9be610d8a015398888f37babb622461e6eabc943bce26f5dffd085
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3265a58bf4a8f9609260a05815eb3d3157bb94ca0c633e9a4f753b4f5ed9beec
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: daad136dea9be610d8a015398888f37babb622461e6eabc943bce26f5dffd085
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1314F71501345EFDB20DFA6C884AABBBFAEF14361B10852EF506D2240DB34AE42DB64
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 006D1915
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000001,00000201,00000001), ref: 006D19C1
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?), ref: 006D19C9
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000001,00000202,00000000), ref: 006D19DA
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 006D19E2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3382505437-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 711f452232b365a9c974f9315f3f2dc3bc20d794e08b5d3e72838ba18cc1ad80
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 05710fc7118f756866606f21fee0c8f107777457378249e1789e6338c9f81c63
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 711f452232b365a9c974f9315f3f2dc3bc20d794e08b5d3e72838ba18cc1ad80
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 51318171900219EFCB14CFA8C9A9ADE7BB6EB45315F108366F921AB3D1C7B09D54CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 006F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • IsWindow.USER32(00000000), ref: 006F0951
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 006F0968
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 006F09A4
                                                                                                                                                                                                                                                                                                                                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 006F09B0
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(00000000,00000003), ref: 006F09E8
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ForegroundPixelRelease
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4156661090-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 69a92afe0da436c5b5c8b79fa41ab090ddddb67b4f3d9d70750e6936ea5aefc0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 32011708739cb50d28127319b5a4cb2855cd2c5f60e8270cd8f6309b23303868
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 69a92afe0da436c5b5c8b79fa41ab090ddddb67b4f3d9d70750e6936ea5aefc0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62218135600204EFE754EF65C885AAEBBE6EF49700F04C16CF94A9B362DB74AC04CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 006ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 006ACDC6
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006ACDE9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A3820: RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852
                                                                                                                                                                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006ACE0F
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006ACE22
                                                                                                                                                                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006ACE31
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 336800556-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0d4b69a073d2e0e7487231c1b6eb0912e17bc8a1526af968b05fb8239de96cb8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bfb05163912ced6b25cc3abd0863e6571d63691a5c7c40fada9268bcfa4307c7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0d4b69a073d2e0e7487231c1b6eb0912e17bc8a1526af968b05fb8239de96cb8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B01D8726012157FA72137BA6C48C7BA96EEEC7BB1315426DF905D7301EE648D0289F4
                                                                                                                                                                                                                                                                                                                                                                                Function 00689639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00689693
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 006896A2
                                                                                                                                                                                                                                                                                                                                                                                • BeginPath.GDI32(?), ref: 006896B9
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 006896E2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3225163088-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c3655b174bf1995f8f6f2012b3fe065c9625977bdba8cad07600eee2b28d2574
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8650cd9ef35c12f1583126adb5716dcf9b8a6c453a690b44c7fc5db2490488d9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c3655b174bf1995f8f6f2012b3fe065c9625977bdba8cad07600eee2b28d2574
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82217174801345EBEB11BF64DC047F93B66BB01315F548317F410A61A0E77868D1CFA8
                                                                                                                                                                                                                                                                                                                                                                                Function 006D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _memcmp
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2931989736-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 34c16b7c07df049d01809d1f035037382d586bbd434a84876f6b1358b5620c93
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7232e8ae29602a62ab42674934e3db59d42fbbb70744b63a955e10776a617c3b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34c16b7c07df049d01809d1f035037382d586bbd434a84876f6b1358b5620c93
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D101D6A1A41605FAE61851109D42EFB739F9B22394B200026FD069EF81FA60ED1186B4
                                                                                                                                                                                                                                                                                                                                                                                Function 006A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,0069F2DE,006A3863,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6), ref: 006A2DFD
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2E32
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2E59
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,00671129), ref: 006A2E66
                                                                                                                                                                                                                                                                                                                                                                                • SetLastError.KERNEL32(00000000,00671129), ref: 006A2E6F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1e44963ec2f6b11c2dac8921102c53ba8c70c5233784b19bfab8661019634308
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d36a7fed01397c3c2358aeb3016c633e995b14ada113311d059d0aa065371f94
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e44963ec2f6b11c2dac8921102c53ba8c70c5233784b19bfab8661019634308
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 470149322C46026BC613733D2C96D6B265BBBC3771720422CF421E2392EF38CC410D25
                                                                                                                                                                                                                                                                                                                                                                                Function 006D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?,?,006D035E), ref: 006D002B
                                                                                                                                                                                                                                                                                                                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0046
                                                                                                                                                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0054
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?), ref: 006D0064
                                                                                                                                                                                                                                                                                                                                                                                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0070
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3897988419-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0b6bda09415d5670352e7a485a80b97ea55f611c4217ab6bc4a6ecc5fe506de6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4e96c80fc3a6c5e96ac05ee8196baa4cdf3badbb929bea343b415846fe9fec11
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0b6bda09415d5670352e7a485a80b97ea55f611c4217ab6bc4a6ecc5fe506de6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6901A272A00204FFEB114F68DC04BAA7AEEEF84752F148225F905D6350DBB5DD408BA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 006DE997
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceFrequency.KERNEL32(?), ref: 006DE9A5
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 006DE9AD
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 006DE9B7
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32 ref: 006DE9F3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2833360925-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 24574819aaa9ff204d7e2324cd3e416761820ef1ca20573d58acadcecf453de3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 576d54e9673b2ff76fb0b8d1e1b931f390cdcc18a5d9ac8edf40f7a53cde23a8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 24574819aaa9ff204d7e2324cd3e416761820ef1ca20573d58acadcecf453de3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31016971C0262DDBCF00AFE4DC69AEDBB79FF08300F004656E502BA240CB399551CBA5
                                                                                                                                                                                                                                                                                                                                                                                Function 006D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006D1114
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1120
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D112F
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1136
                                                                                                                                                                                                                                                                                                                                                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006D114D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 842720411-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: bc4075c5ed620cbfb5757f2289a35287be4a53e2701a17504e5d5807131aa3be
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 321a75c3afeb59e1bff40d88eb9cff5656137af84be594ac3c85cfbeaa973941
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc4075c5ed620cbfb5757f2289a35287be4a53e2701a17504e5d5807131aa3be
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35011D75500205FFEB124F65DC49AAA3B7EEF8A360B204615FA45D7350DE75DC009A64
                                                                                                                                                                                                                                                                                                                                                                                Function 006D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006D0FCA
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006D0FD6
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006D0FE5
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006D0FEC
                                                                                                                                                                                                                                                                                                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006D1002
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 44706859-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: df0156e98fd5d1acd170b656df16914eb8c76faedd775361c81afdea70675c02
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b4c4900f2e05f53a8cfedb713f31a5e681e6dba65859393bf1f0bcd353e0696b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: df0156e98fd5d1acd170b656df16914eb8c76faedd775361c81afdea70675c02
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 83F04F75600305FBD7225FA59C49F963B6EEF8A761F108615F945CA351CE74DC408A60
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006D102A
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006D1036
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006D1045
                                                                                                                                                                                                                                                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006D104C
                                                                                                                                                                                                                                                                                                                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006D1062
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 44706859-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: de4ea7b628e3e44b1b02c113b97c0421d8b5c8738c848b1b12f20490e1dd8ed1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3ecf9cd5a89387e4ec781d9ca001f7509f0e3fc5514ac8144c8775ff8fbd5bfc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de4ea7b628e3e44b1b02c113b97c0421d8b5c8738c848b1b12f20490e1dd8ed1
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 26F04F75200305FBD7226FA4EC49F963B6EEF8A761F104615F945CA350CE74DC808A60
                                                                                                                                                                                                                                                                                                                                                                                Function 006E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E0324
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E0331
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E033E
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E034B
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E0358
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E0365
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6c758d888037d8d62c7e11ae46fe9c98a988773696d582e0c52b103fb5343bca
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1f826990833473cb5200e738e868ac3a560131eb1ca2ba254feffe262f751a37
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6c758d888037d8d62c7e11ae46fe9c98a988773696d582e0c52b103fb5343bca
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C201E272801B42DFD7309F66D880442F7F6BF503053158A3FD19252A30C3B1A984CF80
                                                                                                                                                                                                                                                                                                                                                                                Function 006AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD752
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD764
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD776
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD788
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006AD79A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3e6019ffa026cca1e66410f55736b3a45a2d0e8ff19c1c788a3219b5a5353020
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 25fa1911e4524342f1fb330f6d159d27089957e11b4ee9c507681f7c51d15bf0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3e6019ffa026cca1e66410f55736b3a45a2d0e8ff19c1c788a3219b5a5353020
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4F0AF32141209AF82A6FB29F8C1C9B37DFBB06B11B950809F009E3A01C724FC808F68
                                                                                                                                                                                                                                                                                                                                                                                Function 006A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A22BE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A22D0
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A22E3
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A22F4
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A2305
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 965316b21283f1acdf0ddb5de9ce23b8aef36569cba1cbbaf40ee475e6dfef75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3bc8ab9b5c6089a8eda4d2dde1eaa5205dc12e00835b55c6789424a9052c4578
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 965316b21283f1acdf0ddb5de9ce23b8aef36569cba1cbbaf40ee475e6dfef75
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 08F030785802118F8793BF69BC118493B66B71BF51740851BF510D2271C73C2D51AFED
                                                                                                                                                                                                                                                                                                                                                                                Function 006895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • EndPath.GDI32(?), ref: 006895D4
                                                                                                                                                                                                                                                                                                                                                                                • StrokeAndFillPath.GDI32(?,?,006C71F7,00000000,?,?,?), ref: 006895F0
                                                                                                                                                                                                                                                                                                                                                                                • SelectObject.GDI32(?,00000000), ref: 00689603
                                                                                                                                                                                                                                                                                                                                                                                • DeleteObject.GDI32 ref: 00689616
                                                                                                                                                                                                                                                                                                                                                                                • StrokePath.GDI32(?), ref: 00689631
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2625713937-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 91b3621ad0f37d5f91c102819a2034184ea9937b476fb0cd4e547b623c555a59
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: beb967f044e036a24ee2647f8e7b5d84cee544acee8fd2fe1295a3a1f75510a7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 91b3621ad0f37d5f91c102819a2034184ea9937b476fb0cd4e547b623c555a59
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6F03C38006248EBDB126F65ED1C7B43B62AB06322F48C315F429551F0DB7899D1DF28
                                                                                                                                                                                                                                                                                                                                                                                Function 006A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: __freea$_free
                                                                                                                                                                                                                                                                                                                                                                                • String ID: a/p$am/pm
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3432400110-3206640213
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1b52a83e9b4fdd0bbc174c13733de805687d19653f7e45a70d7ed2574e3a9af2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3ec76fce13a6bb5fa215643f342dc915cb2e49df7eeeb530cfadabe563ad1e71
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1b52a83e9b4fdd0bbc174c13733de805687d19653f7e45a70d7ed2574e3a9af2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CD1EE31900206DADF28AF68C855BFAB7B7EF07310F28415AE901AF751D6359E81CFA5
                                                                                                                                                                                                                                                                                                                                                                                Function 006F61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00690242: EnterCriticalSection.KERNEL32(0074070C,00741884,?,?,0068198B,00742518,?,?,?,006712F9,00000000), ref: 0069024D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00690242: LeaveCriticalSection.KERNEL32(0074070C,?,0068198B,00742518,?,?,?,006712F9,00000000), ref: 0069028A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006900A3: __onexit.LIBCMT ref: 006900A9
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 006F6238
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006901F8: EnterCriticalSection.KERNEL32(0074070C,?,?,00688747,00742514), ref: 00690202
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006901F8: LeaveCriticalSection.KERNEL32(0074070C,?,00688747,00742514), ref: 00690235
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006E359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006E35E4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006E359C: LoadStringW.USER32(00742390,?,00000FFF,?), ref: 006E360A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                                                                                                                                                                                                                                                                                                                • String ID: x#t$x#t$x#t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1072379062-2514561250
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5eb0abe5c13051675f70923b0fecfd0bc4ba84250a82c9490b4ad68fb0dbb60e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e04777438adb1b0f6af3bfe26cda23d9a4cd4cd14eee40992926063168454843
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5eb0abe5c13051675f70923b0fecfd0bc4ba84250a82c9490b4ad68fb0dbb60e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1DC16D71A00109AFDB14EF98C891DBEB7BAEF49300F148169FA15AB291DB70ED45CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 006A5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: JOg
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-645625397
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6cf7d88ecd5abce6dcc469492a21b3283c115757cc1b28ace6925851491b4c0e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e012718a03efe5da80a702aa77cae844a598085fda54cf1ea30c1621f8458c17
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6cf7d88ecd5abce6dcc469492a21b3283c115757cc1b28ace6925851491b4c0e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6051AE75900609ABCF11FFA8C845BEEBBBAAF06324F14005EF507A7292D6359E018F65
                                                                                                                                                                                                                                                                                                                                                                                Function 006A8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006A8B6E
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006A8B7A
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 006A8B81
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: .i
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2434981716-2647164722
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a386653e51266ebcd5670687cb90bf86fc04500dfd7cd1b3c70f9faeb1a1a7e2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5353e6a9359748ff0b057722ab8543cfea4630a87829eef504b5a5398fef7f34
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a386653e51266ebcd5670687cb90bf86fc04500dfd7cd1b3c70f9faeb1a1a7e2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D54160B0604145AFDB25AF54C880ABD7FE7DB87304B2881AAF98587652DE35CC028FA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6eftz6UKDm.exe,00000104), ref: 006A1769
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A1834
                                                                                                                                                                                                                                                                                                                                                                                • _free.LIBCMT ref: 006A183E
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free$FileModuleName
                                                                                                                                                                                                                                                                                                                                                                                • String ID: C:\Users\user\Desktop\6eftz6UKDm.exe
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2506810119-2378256198
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 21dbe8b303686cbf3e6ae24327481f664d0b2be6fbbfc91c5b19d9cacacc44e0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ce58d4fb8749f1f9b09e2e8eddaca525c7820c8ce80987f4b24bec9e67795c08
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 21dbe8b303686cbf3e6ae24327481f664d0b2be6fbbfc91c5b19d9cacacc44e0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D31A275A40218EFCB21EB999881D9EBBFEEB87310F50416AF404DB211D7B48E40CF94
                                                                                                                                                                                                                                                                                                                                                                                Function 006DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006DC306
                                                                                                                                                                                                                                                                                                                                                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 006DC34C
                                                                                                                                                                                                                                                                                                                                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00741990,013F5530), ref: 006DC395
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$Delete$InfoItem
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 135850232-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0f2c6121a08bedfe25fea75d26409e18a922bd55fad0f89348f0808e5e07363c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 519710a6c378a41f5498e19c61ffb1d05f92f80a3cc1f9808181bf1dc63c473a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f2c6121a08bedfe25fea75d26409e18a922bd55fad0f89348f0808e5e07363c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C41BF31A04346DFDB20DF28D884B5ABBE6AF85320F11861EF9A5973D1C730E904CB66
                                                                                                                                                                                                                                                                                                                                                                                Function 00704416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0070CC08,00000000,?,?,?,?), ref: 007044AA
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32 ref: 007044C7
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007044D7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Long
                                                                                                                                                                                                                                                                                                                                                                                • String ID: SysTreeView32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 847901565-1698111956
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 91ef53047b96758324edb57e52c487b2b8816e8455a12e17325d0e15fa4d6044
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e1e66478e879de96f2a1e22fd76208cf89d6f87b095690ebd79752337acede82
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 91ef53047b96758324edb57e52c487b2b8816e8455a12e17325d0e15fa4d6044
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D1319CB1210245EBDB219F38DC45BEA77A9EB08334F208319FA79922D0DB78AC609750
                                                                                                                                                                                                                                                                                                                                                                                Function 006D6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SysReAllocString.OLEAUT32(?,?), ref: 006D6EED
                                                                                                                                                                                                                                                                                                                                                                                • VariantCopyInd.OLEAUT32(?,?), ref: 006D6F08
                                                                                                                                                                                                                                                                                                                                                                                • VariantClear.OLEAUT32(?), ref: 006D6F12
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$AllocClearCopyString
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *jm
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2173805711-1720354028
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: da4c27788201152a0c6fd5d9752b8099981ea18968945bfaee912f28e549b3e7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e4938c505bcf07b240d03f7ac1783e22eadf15fe9531d5d4d8e26dcaa33f7e70
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da4c27788201152a0c6fd5d9752b8099981ea18968945bfaee912f28e549b3e7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3231CFB1A04645DBCB05AFA5E8909BE37B7FF80300B10459EF9024B3B1CB349D12CBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,006F3077,?,?), ref: 006F3378
                                                                                                                                                                                                                                                                                                                                                                                • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006F307A
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006F309B
                                                                                                                                                                                                                                                                                                                                                                                • htons.WSOCK32(00000000,?,?,00000000), ref: 006F3106
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 255.255.255.255
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 946324512-2422070025
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b9507baac4f69ac285bdbf2679608bb24084f23bf96563d38788626a8672a776
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 97308691bd579e6d052704c54b438f7f03688258ee6724a6005609df5105149d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9507baac4f69ac285bdbf2679608bb24084f23bf96563d38788626a8672a776
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E31C1356002199FCB10CF28C585EBA77E2EF15318F24C15AEA158B392DB72EE45C761
                                                                                                                                                                                                                                                                                                                                                                                Function 00704653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00704705
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00704713
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0070471A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$DestroyWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: msctls_updown32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4014797782-2298589950
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fc6b5b80054ef78ccd870a3b1917b3169a4fdc361cebc785272f88a9729068d0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c93b3136dc82cdf0f40b730f1d3f59ad17eafb89df05c32d7dae3903ab7ee1f6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc6b5b80054ef78ccd870a3b1917b3169a4fdc361cebc785272f88a9729068d0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC217CF5600209EFEB10DF68DC91DA637EDEB4A3A4B004149FA009B2A1CB35EC51CA64
                                                                                                                                                                                                                                                                                                                                                                                Function 006D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 176396367-2734436370
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 78ca10a358a1f0fdb613a27bbf89e375b650579cc3c29d06ce7b029ae1fecba0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c5f4a7fc69e0ef67c70f35e114883e5c4f241930c023433f6b39cdf5643b900c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78ca10a358a1f0fdb613a27bbf89e375b650579cc3c29d06ce7b029ae1fecba0
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ED212672604151A6D771BB24A802FF773DA9F91310F10402BF94997782EB55ED92C3E9
                                                                                                                                                                                                                                                                                                                                                                                Function 007037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00703840
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00703850
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00703876
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$MoveWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Listbox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3315199576-2633736733
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 81389cf97d70e00d4a6c6c2d166f862ff0ad3d346ee3e29259f17e3eb96f19cd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 65bc9cc4aca2bb745a49bbb3eb903876e324758cf0b66d4803d6147dc9f20558
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81389cf97d70e00d4a6c6c2d166f862ff0ad3d346ee3e29259f17e3eb96f19cd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE218072610118FBEB229F54CC85EBB37AEEF89764F108214F9449B1D0CA79DC5287A0
                                                                                                                                                                                                                                                                                                                                                                                Function 006D223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006D2258
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006D228A
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006D22CA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 763830540-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eb6f0413d5b8d8b5a35fc0737d46ae7a4478ec4fa54db7e464b5f0b6ad4567f8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 718dbd1be8f26c7440463f6411779885cb30d8e68c92f7f92fd4ec4c41c22600
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eb6f0413d5b8d8b5a35fc0737d46ae7a4478ec4fa54db7e464b5f0b6ad4567f8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 86214931B00205ABDF209F55CD49FEE3BAEEB68710F04806AFA09D7380DB748A4587A1
                                                                                                                                                                                                                                                                                                                                                                                Function 006E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 006E4A08
                                                                                                                                                                                                                                                                                                                                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006E4A5C
                                                                                                                                                                                                                                                                                                                                                                                • SetErrorMode.KERNEL32(00000000,?,?,0070CC08), ref: 006E4AD0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorMode$InformationVolume
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %lu
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2507767853-685833217
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 93977e1c30094b7f16fdf09663966fa149141082c638d2b3cd09b2223471431e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ad027e66b38b363e68625cc83f392dd4e73765c27f9cfeff99918cb58212218d
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93977e1c30094b7f16fdf09663966fa149141082c638d2b3cd09b2223471431e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 19318170A00208AFDB11DF64C885EAA77F9EF08304F1480A9F409DB352DB75ED45CB65
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 006D1B4F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006D1B61
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000000D,?,00000000), ref: 006D1B99
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 09a39c645583fc22d5e43f0fb2152c3e736cd141a8d7745fc8c3b3d6322ed9ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5a32bed1b429f0b3eee39fb6035a4afb2ad2a5ccb9a43a1f6040c04556b1500b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 09a39c645583fc22d5e43f0fb2152c3e736cd141a8d7745fc8c3b3d6322ed9ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 05219372A00118BFDB15DBA8C941DAEB7FFEF45340F1005ABE105E7290DAB1AE418B94
                                                                                                                                                                                                                                                                                                                                                                                Function 006F0CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000402,00000000,00000000), ref: 006F0D24
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(0000000C,00000000,?), ref: 006F0D65
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(0000000C,00000000,?), ref: 006F0D8D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c8e50e08cc1a2ee6adf86d108450809a4c1f774418834f4997f8a183b4c1e83b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9dd68093f9bd40aafd1ef37e74acc63f1d0077769ba33c6717a0912f8e79244b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c8e50e08cc1a2ee6adf86d108450809a4c1f774418834f4997f8a183b4c1e83b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EF212235200500AFE710EF64D991E2AB7EAFF0A710B00C599EA199B662DB30BC51CB98
                                                                                                                                                                                                                                                                                                                                                                                Function 007041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0070424F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00704264
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00704271
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: msctls_trackbar32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-1010561917
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: fccf9f28e5d052cb2fadf88d0f3e2bf4b9544da2480cee5603c03d1b72f6c291
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ea3f1cff94321fd0b692d536d0aa9f628970cf00adb2be7ab8bb8d214e8220fc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fccf9f28e5d052cb2fadf88d0f3e2bf4b9544da2480cee5603c03d1b72f6c291
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE11C171240208BEEF209F28CC06FAB3BECEF85B64F014218FA55E20D0D675D8619B14
                                                                                                                                                                                                                                                                                                                                                                                Function 006D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006D2DC5
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D2DD6
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D2DA7: GetCurrentThreadId.KERNEL32 ref: 006D2DDD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006D2DE4
                                                                                                                                                                                                                                                                                                                                                                                • GetFocus.USER32 ref: 006D2F78
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D2DEE: GetParent.USER32(00000000), ref: 006D2DF9
                                                                                                                                                                                                                                                                                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 006D2FC3
                                                                                                                                                                                                                                                                                                                                                                                • EnumChildWindows.USER32(?,006D303B), ref: 006D2FEB
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: %s%d
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1272988791-1110647743
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d3cbca61e689a25c1c073a604d87042821aa6ae8881d510ff2b9af0dc0cc1516
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 08f8c4c9c327fc762a85a1d07ef21181edffdcac21f47ac6e3eccd05056cfe2e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d3cbca61e689a25c1c073a604d87042821aa6ae8881d510ff2b9af0dc0cc1516
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5911E471A00205ABDF917F70CC95EEE376BAF94304F04817AF9099B392DE359A498B74
                                                                                                                                                                                                                                                                                                                                                                                Function 00703429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 007034AB
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007034BA
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LengthMessageSendTextWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$edit
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2978978980-590756393
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 49d577732edda4e4e22c59a2463f34814fbb968093fe01160a320cb648db43fa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 94151ee3e544798e99265e5beee970a0472610108e550c1b0f9e740058cf1c5b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49d577732edda4e4e22c59a2463f34814fbb968093fe01160a320cb648db43fa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48118C71100248EBEB228F64DC84ABB37AEEF05374F508724F9659B1E0C779EC919B65
                                                                                                                                                                                                                                                                                                                                                                                Function 00705882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007058C1
                                                                                                                                                                                                                                                                                                                                                                                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007058EE
                                                                                                                                                                                                                                                                                                                                                                                • DrawMenuBar.USER32(?), ref: 007058FD
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Menu$InfoItem$Draw
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3227129158-4108050209
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: cd6b988e9b1f30a90119965a190aa300b988316e6c66b729cdb25f331d9f9977
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8fa6db693672f91ab4a3c7df229cb0456cd23e7a13c20ac84c5f90622a30a1da
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cd6b988e9b1f30a90119965a190aa300b988316e6c66b729cdb25f331d9f9977
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF01A931500208EFDB219F11DC48BAFBBB5FB45361F1082A9F848D6191DB789A90EF20
                                                                                                                                                                                                                                                                                                                                                                                Function 00707803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32(?,007418B0,0070A364,000000FC,?,00000000,00000000,?,?,?,006C76CF,?,?,?,?,?), ref: 00707805
                                                                                                                                                                                                                                                                                                                                                                                • GetFocus.USER32 ref: 0070780D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689944: GetWindowLongW.USER32(?,000000EB), ref: 00689952
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 0070787A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Long$FocusForegroundMessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3601265619-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 982ad0cd924fecfeacc0b089aa5389537cdf61707d5cf532dbe49a07a683aab7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6f4ad0fc682d28804140cea02ec4e550a972398d6328a5a1493599598bfcc911
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 982ad0cd924fecfeacc0b089aa5389537cdf61707d5cf532dbe49a07a683aab7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0018435A01110CFD769EB28D858AB633E6EF8A320F1887ADE015872E0CB397C46CF54
                                                                                                                                                                                                                                                                                                                                                                                Function 006D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 4edc20ff8f08d7568b8b4f92a6a46c94f43bd7d416f3e88365520cb3844cb588
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d48fa68240e5fcc047ed75daf11c009e5ad0fdb11ba66405f8a7f497f505a325
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4edc20ff8f08d7568b8b4f92a6a46c94f43bd7d416f3e88365520cb3844cb588
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33C13775A00216AFEB14CFA4C894BAEB7B6FF48304F218599E505EB351D731EE42CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 006F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1998397398-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d91d95501d8030c6dd7597d27861f19c9880a3f8070cff2b1eb8f4b943130e3b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 91d6aeb1cf4e81036346038786749cbbccca90f0cc622912a2b394e3e95f73a4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d91d95501d8030c6dd7597d27861f19c9880a3f8070cff2b1eb8f4b943130e3b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9AA15B756043149FD740EF28C485A2AB7E6FF88714F14895DFA8A9B362DB30EE01CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 006D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0070FC08,?), ref: 006D05F0
                                                                                                                                                                                                                                                                                                                                                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0070FC08,?), ref: 006D0608
                                                                                                                                                                                                                                                                                                                                                                                • CLSIDFromProgID.OLE32(?,?,00000000,0070CC40,000000FF,?,00000000,00000800,00000000,?,0070FC08,?), ref: 006D062D
                                                                                                                                                                                                                                                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 006D064E
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 314563124-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 12ccf2b7bb54f7e3dbafc153f86e2ba0e0cd765e90ad75d0fa20416209c4024f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9545daa64f8d00855265fc8d297caacb1aba106b22422b0c37d153784d169273
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 12ccf2b7bb54f7e3dbafc153f86e2ba0e0cd765e90ad75d0fa20416209c4024f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96810D75E00109EFDB04DF94C984EEEB7BAFF89315F204599E506AB250DB71AE06CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 006FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 006FA6AC
                                                                                                                                                                                                                                                                                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 006FA6BA
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 006FA79C
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 006FA7AB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006B3303,?), ref: 0068CE8A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1991900642-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 83061e20d65b352d7ee9511052a740a405210c1ca24bdf524eb43d98e3cc71cd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 03de421cbff654618aac00a4950154a92d6ee3f14b90936e2ed32edf7a99da64
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83061e20d65b352d7ee9511052a740a405210c1ca24bdf524eb43d98e3cc71cd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48516EB15083009FD750EF24C886E6BBBE9FF89754F008A1DF59997252EB70D904CB96
                                                                                                                                                                                                                                                                                                                                                                                Function 006B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _free
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d48fc3ad084f29c3038847b65c276018edaacedc275325d8e0700d2d84ced069
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 9a628888ba1285d9d6f947a8bc9a826ad20ca0d1bf66e8048acae57b92b499c8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d48fc3ad084f29c3038847b65c276018edaacedc275325d8e0700d2d84ced069
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A4137B1600110BBDF217BF98C556EE3AEBEF43330F644269F419CA292EA348D814766
                                                                                                                                                                                                                                                                                                                                                                                Function 006F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 006F1AFD
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F1B0B
                                                                                                                                                                                                                                                                                                                                                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006F1B8A
                                                                                                                                                                                                                                                                                                                                                                                • WSAGetLastError.WSOCK32 ref: 006F1B94
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorLast$socket
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1881357543-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ba557d1b6b007c8801af4ce3b0bc709f7e3946c90f70ca550ed7f08933525f95
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 40c8c39ba67267b8ea73a6c01c136f79412fc48c07316d21c46d06eff1f41baa
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba557d1b6b007c8801af4ce3b0bc709f7e3946c90f70ca550ed7f08933525f95
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C41BE34640200EFE760AF24C886F6A77E6AB45718F54C54CFA1A9F3D3D672ED428B94
                                                                                                                                                                                                                                                                                                                                                                                Function 006AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 59eade04012d86d120e427c93c684d68095e7dab366d3afc7731aa274f8e6637
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a2c08efa17b77f7b94433d0efd1f8ff4a2446cc60a872e858c9e76c665e2f292
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 59eade04012d86d120e427c93c684d68095e7dab366d3afc7731aa274f8e6637
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4841D371A00704BFD724AF78CC41BAABBEAEF8A710F10452EF551DB682D771AD418B94
                                                                                                                                                                                                                                                                                                                                                                                Function 006E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006E5783
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 006E57A9
                                                                                                                                                                                                                                                                                                                                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006E57CE
                                                                                                                                                                                                                                                                                                                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006E57FA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3321077145-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6415a86d135d9491d22ceeabc0421df45ee6c752eb2fb11829afe1f15959b97e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ec53b9d0a3adce2431161d8b3f464251d327104b8ee0a65a17b473bf999fe7ca
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6415a86d135d9491d22ceeabc0421df45ee6c752eb2fb11829afe1f15959b97e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 94412939600610DFCB11EF15C584A5EBBE2EF89724B18C488E85AAB362CB34FD00CB95
                                                                                                                                                                                                                                                                                                                                                                                Function 006AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00696D71,00000000,00000000,006982D9,?,006982D9,?,00000001,00696D71,?,00000001,006982D9,006982D9), ref: 006AD910
                                                                                                                                                                                                                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006AD999
                                                                                                                                                                                                                                                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006AD9AB
                                                                                                                                                                                                                                                                                                                                                                                • __freea.LIBCMT ref: 006AD9B4
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006A3820: RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2652629310-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a66779ae24c7e2d937671a693b508a1352316e21eaadf71cf47dc0412fa167b6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3065ad20dc9e3b23ecec7c14bdeb99d5a71c30b05f44fb25311d38a33eb5dce8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a66779ae24c7e2d937671a693b508a1352316e21eaadf71cf47dc0412fa167b6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2831A072A0020AABDF25AF64DC45EEF7BAAEF42310B054268FC05D7291EB35DD55CB90
                                                                                                                                                                                                                                                                                                                                                                                Function 006DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 006DABF1
                                                                                                                                                                                                                                                                                                                                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 006DAC0D
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 006DAC74
                                                                                                                                                                                                                                                                                                                                                                                • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 006DACC6
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 432972143-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5048f14fffc1b860e18c68337952a45e0fdcab34455c5f446f191f73b43a78bd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a6f3e7c864e2af0f380a691d5d44b4be262712d1c49ae3ae455c746aee66275e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5048f14fffc1b860e18c68337952a45e0fdcab34455c5f446f191f73b43a78bd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 19310C30E68618AFFF35CBA58C047FA7767AB89330F04431BE485523D1C77589458756
                                                                                                                                                                                                                                                                                                                                                                                Function 00707674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(?,?), ref: 0070769A
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00707710
                                                                                                                                                                                                                                                                                                                                                                                • PtInRect.USER32(?,?,00708B89), ref: 00707720
                                                                                                                                                                                                                                                                                                                                                                                • MessageBeep.USER32(00000000), ref: 0070778C
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1352109105-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 35a199f4cd0767ea9c1ea8937ecf8cb432643f9c07e7e6a9e99fff5dee2a725b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8af11dd90015ec5f43ce150c388cba46651169716db28bae517dc0b7a168fa31
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35a199f4cd0767ea9c1ea8937ecf8cb432643f9c07e7e6a9e99fff5dee2a725b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9941CE38A05254DFCB09DF58C894EA877F0FF49390F5992A9E8148B2A0C739F981CF90
                                                                                                                                                                                                                                                                                                                                                                                Function 007016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 007016EB
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D3A57
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: GetCurrentThreadId.KERNEL32 ref: 006D3A5E
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006D25B3), ref: 006D3A65
                                                                                                                                                                                                                                                                                                                                                                                • GetCaretPos.USER32(?), ref: 007016FF
                                                                                                                                                                                                                                                                                                                                                                                • ClientToScreen.USER32(00000000,?), ref: 0070174C
                                                                                                                                                                                                                                                                                                                                                                                • GetForegroundWindow.USER32 ref: 00701752
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2759813231-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 80c20f9eaa261f2996a926161b2155110dfe29db99a06dc9374d7136c8a23d9c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a2fe632ef4ec988028f1eda8eceaf29d77657881624a0cfc38344a0b95a13b29
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80c20f9eaa261f2996a926161b2155110dfe29db99a06dc9374d7136c8a23d9c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8314175D00149EFC740DFA9C881CAEBBF9EF48304B5481AEE415E7251DB359E45CBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 00708FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 00709001
                                                                                                                                                                                                                                                                                                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006C7711,?,?,?,?,?), ref: 00709016
                                                                                                                                                                                                                                                                                                                                                                                • GetCursorPos.USER32(?), ref: 0070905E
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006C7711,?,?,?), ref: 00709094
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2864067406-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ec21751e967a046792547f45be657484a1bbd75690bf6ac2ff1fb77ebf86e4be
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 563bd4982321b8b4e8656b791023126e50718da705f6b967542ff8cd041b7035
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ec21751e967a046792547f45be657484a1bbd75690bf6ac2ff1fb77ebf86e4be
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8321A135600018EFDB269F94CC58EFB7BF9EF4A350F144269FA45472A2C739A990DB60
                                                                                                                                                                                                                                                                                                                                                                                Function 006DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetFileAttributesW.KERNEL32(?,0070CB68), ref: 006DD2FB
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 006DD30A
                                                                                                                                                                                                                                                                                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 006DD319
                                                                                                                                                                                                                                                                                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0070CB68), ref: 006DD376
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2267087916-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 12bcf468aa62447e6ea3992e5e28aacd68e628e811995be1da7591bdf5273e52
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1bb99067e6bcce2ea6e12ebb493fb969a3defa2d96eef492ee06b86bf8f725a7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 12bcf468aa62447e6ea3992e5e28aacd68e628e811995be1da7591bdf5273e52
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4217F70909201DFC710EF28C8818AAB7E5AE56364F108B1EF499C73E1DB31D946CB97
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006D102A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006D1036
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006D1045
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006D104C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006D1062
                                                                                                                                                                                                                                                                                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006D15BE
                                                                                                                                                                                                                                                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 006D15E1
                                                                                                                                                                                                                                                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D1617
                                                                                                                                                                                                                                                                                                                                                                                • HeapFree.KERNEL32(00000000), ref: 006D161E
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1592001646-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ff3bfc52fde324755d084c798d46f20a479bdaf05cd03fdb4898c6692d6815fd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 87468ffac05f0d270cb0846c1f249ad84054e68813ae04c37f35500131298d1c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff3bfc52fde324755d084c798d46f20a479bdaf05cd03fdb4898c6692d6815fd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8216B71E00109FFDB10DFA4C945BEEB7B9EF45344F18855AE441AB341D774AA45CB50
                                                                                                                                                                                                                                                                                                                                                                                Function 00702782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0070280A
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00702824
                                                                                                                                                                                                                                                                                                                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00702832
                                                                                                                                                                                                                                                                                                                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00702840
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$Long$AttributesLayered
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2169480361-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 01f3177c0fdc9146dc8b47e300261abc78d7a08daa8865ac8b37cfae76278be3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dcdc663f5b00815e75d2aeccac142d428b4d4cad4495afbe5f5808c6e011c5c6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 01f3177c0fdc9146dc8b47e300261abc78d7a08daa8865ac8b37cfae76278be3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C21B236204111EFE7159B24CC48F6A7795AF45324F24C358F5168B6D3DB79EC42C790
                                                                                                                                                                                                                                                                                                                                                                                Function 006D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,006D790A,?,000000FF,?,006D8754,00000000,?,0000001C,?,?), ref: 006D8D8C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D8D7D: lstrcpyW.KERNEL32(00000000,?,?,006D790A,?,000000FF,?,006D8754,00000000,?,0000001C,?,?,00000000), ref: 006D8DB2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D8D7D: lstrcmpiW.KERNEL32(00000000,?,006D790A,?,000000FF,?,006D8754,00000000,?,0000001C,?,?), ref: 006D8DE3
                                                                                                                                                                                                                                                                                                                                                                                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,006D8754,00000000,?,0000001C,?,?,00000000), ref: 006D7923
                                                                                                                                                                                                                                                                                                                                                                                • lstrcpyW.KERNEL32(00000000,?,?,006D8754,00000000,?,0000001C,?,?,00000000), ref: 006D7949
                                                                                                                                                                                                                                                                                                                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,006D8754,00000000,?,0000001C,?,?,00000000), ref: 006D7984
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: cdecl
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4031866154-3896280584
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6ac56046a8318962b3ffdef236b3a41de62c5f03cc19039cff23d06f6ed428bd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8c43e36b1625358e9ee549ea6d35e577f4a0d2ab8d14da98074a0cb851cd5801
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6ac56046a8318962b3ffdef236b3a41de62c5f03cc19039cff23d06f6ed428bd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FA11E43A600201AFCB155F34C855DBA77A6FF85350B00812BE802CB3A4FF319811C7A6
                                                                                                                                                                                                                                                                                                                                                                                Function 006D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 006D1A47
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006D1A59
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006D1A6F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006D1A8A
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 436cc3173b1fe0396af70cdb0e7cdc72ab2aa5b4a5069e628818555b86c53606
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 48ea31594ea25bc8a3f133f0dba7aebca082d40166e27f0f2d918efeb190e85b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 436cc3173b1fe0396af70cdb0e7cdc72ab2aa5b4a5069e628818555b86c53606
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D1113C3AD01219FFEB11DBA4CD85FADBB79EB04750F240092E600BB290D6B16E51DB94
                                                                                                                                                                                                                                                                                                                                                                                Function 006DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 006DE1FD
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 006DE230
                                                                                                                                                                                                                                                                                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006DE246
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006DE24D
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2880819207-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c9d61ff9ace108f5e12db7bc2a57f5e5e5a1dcfb5e86672ae652654ee9a1708a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 0933cfe72e15dc3b5bf2d61a339dc47d339f40ef68ab21620c879206ef99cff6
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9d61ff9ace108f5e12db7bc2a57f5e5e5a1dcfb5e86672ae652654ee9a1708a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CA110876D04258BBC702AFA89C05A9F7FAD9B46310F00831AF914D7390D775DA0487A4
                                                                                                                                                                                                                                                                                                                                                                                Function 0069D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateThread.KERNEL32(00000000,?,0069CFF9,00000000,00000004,00000000), ref: 0069D218
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 0069D224
                                                                                                                                                                                                                                                                                                                                                                                • __dosmaperr.LIBCMT ref: 0069D22B
                                                                                                                                                                                                                                                                                                                                                                                • ResumeThread.KERNEL32(00000000), ref: 0069D249
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 173952441-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2e152da9e94343dd52750eec65cc5afe3c27d6c7336a6bd62b6251a4deac39f3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5cdaa69ed5607275b4fe09ccb93dbc25bce8122441ef6889acfb2ff9c5b63ede
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e152da9e94343dd52750eec65cc5afe3c27d6c7336a6bd62b6251a4deac39f3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4101D236805208BBCF116BA5DC09BAA7A6EDF82730F204329FA25925D0CF70CA01C6A5
                                                                                                                                                                                                                                                                                                                                                                                Function 00693B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 00693B56
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00693AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00693AD2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00693AA3: ___AdjustPointer.LIBCMT ref: 00693AED
                                                                                                                                                                                                                                                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 00693B6B
                                                                                                                                                                                                                                                                                                                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00693B7C
                                                                                                                                                                                                                                                                                                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00693BA4
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 737400349-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 100aac76d4ad07843a2a445b962a9389ad04445e3afc9047f118d9730fd7df20
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 97012932100148BBDF126E95CC42EEB3B6EEF58B54F044018FE4896621C732E962EBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006713C6,00000000,00000000,?,006A301A,006713C6,00000000,00000000,00000000,?,006A328B,00000006,FlsSetValue), ref: 006A30A5
                                                                                                                                                                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,006A301A,006713C6,00000000,00000000,00000000,?,006A328B,00000006,FlsSetValue,00712290,FlsSetValue,00000000,00000364,?,006A2E46), ref: 006A30B1
                                                                                                                                                                                                                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006A301A,006713C6,00000000,00000000,00000000,?,006A328B,00000006,FlsSetValue,00712290,FlsSetValue,00000000), ref: 006A30BF
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3177248105-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6d6724c7910ff8954a6222d7ab15c87ee31a24a678ae46d9388c64447203b192
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 87d07e5a72c7b89641e273f09e4b467bdebea55dce233ec0377b87f718216b5f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6d6724c7910ff8954a6222d7ab15c87ee31a24a678ae46d9388c64447203b192
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D01F732301332EBCB319B799C449977B9AAF07BA1B208720F905E7380CB25DD01CAE4
                                                                                                                                                                                                                                                                                                                                                                                Function 006D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 006D747F
                                                                                                                                                                                                                                                                                                                                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006D7497
                                                                                                                                                                                                                                                                                                                                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006D74AC
                                                                                                                                                                                                                                                                                                                                                                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006D74CA
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1352324309-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9438c7888ec7feb61e95f29769ce44e0c98935598ed6b815c3eb9c87eec9e5f3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f67d7e580b1d8913b4a01a88f6c36717c90e43f8ffe6b9e2fca089c150bb2387
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9438c7888ec7feb61e95f29769ce44e0c98935598ed6b815c3eb9c87eec9e5f3
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3911A1B1605314DBE722CF14DC08B92BFFDEB00B00F10866AF616D6291EB74E904DB52
                                                                                                                                                                                                                                                                                                                                                                                Function 006DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006DACD3,?,00008000), ref: 006DB0C4
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006DACD3,?,00008000), ref: 006DB0E9
                                                                                                                                                                                                                                                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006DACD3,?,00008000), ref: 006DB0F3
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006DACD3,?,00008000), ref: 006DB126
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2875609808-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 503eeb8ce365cd09bd55b35e233cfbc40d1b1c4a0af7522d8e0c6014fa751561
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: aab56c3b6d2984a8a7d4e8a33ba260fdb8b8a0fdd28178643e3aabc768e4b9a8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 503eeb8ce365cd09bd55b35e233cfbc40d1b1c4a0af7522d8e0c6014fa751561
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07118E70C0061CD7CF10AFE4ED596EEBB79FF0A311F028286D941B2245CF3449508B95
                                                                                                                                                                                                                                                                                                                                                                                Function 006D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006D2DC5
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 006D2DD6
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 006D2DDD
                                                                                                                                                                                                                                                                                                                                                                                • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006D2DE4
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2710830443-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 806fa67157c03c18201fc8cb566045d2b8ef4b312fb39c18ef73c22943b2907f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4fdd61997fa18cb6a346b43d3121e4ec08fb1ff3e92cfd9a76a53b948369dbf4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 806fa67157c03c18201fc8cb566045d2b8ef4b312fb39c18ef73c22943b2907f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CEE092B1501224BBD7315B729C0EFEB7E6EEF96BA1F004316F105D11809EA9C841C6B0
                                                                                                                                                                                                                                                                                                                                                                                Function 00708863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00689693
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689639: SelectObject.GDI32(?,00000000), ref: 006896A2
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689639: BeginPath.GDI32(?), ref: 006896B9
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689639: SelectObject.GDI32(?,00000000), ref: 006896E2
                                                                                                                                                                                                                                                                                                                                                                                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00708887
                                                                                                                                                                                                                                                                                                                                                                                • LineTo.GDI32(?,?,?), ref: 00708894
                                                                                                                                                                                                                                                                                                                                                                                • EndPath.GDI32(?), ref: 007088A4
                                                                                                                                                                                                                                                                                                                                                                                • StrokePath.GDI32(?), ref: 007088B2
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1539411459-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f055b61192321cd29d024c6d34b94b389c61b5ff649454ec5b7b7590596ae458
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 433806c6cd8e4c663475daaa991da80b0505b75db61312975b0acf19c2503e2e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f055b61192321cd29d024c6d34b94b389c61b5ff649454ec5b7b7590596ae458
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 01F03A36041258FAEB136F94AC09FCA3E59AF06310F44C201FA11651E1CBB95551DBE9
                                                                                                                                                                                                                                                                                                                                                                                Function 006898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000008), ref: 006898CC
                                                                                                                                                                                                                                                                                                                                                                                • SetTextColor.GDI32(?,?), ref: 006898D6
                                                                                                                                                                                                                                                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 006898E9
                                                                                                                                                                                                                                                                                                                                                                                • GetStockObject.GDI32(00000005), ref: 006898F1
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Color$ModeObjectStockText
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 4037423528-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 52a477f48409e860a29389476552cad06fad7f12a49b6c695cf35700e1a1e8af
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: da0b77bc8536fed8a6f5ee0f15f1d089c992613b27184aef77a15b274fbf2d2f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 52a477f48409e860a29389476552cad06fad7f12a49b6c695cf35700e1a1e8af
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13E06D31244284EEDB225B74EC09BE83F61EB12336F18C319FAFA581E1CB7546509F20
                                                                                                                                                                                                                                                                                                                                                                                Function 006D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 006D1634
                                                                                                                                                                                                                                                                                                                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,006D11D9), ref: 006D163B
                                                                                                                                                                                                                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006D11D9), ref: 006D1648
                                                                                                                                                                                                                                                                                                                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,006D11D9), ref: 006D164F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3974789173-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 980822949a5566dbf2545132a75d8b05724a7c3584abea6f78038c18c9d90df2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 70b9a01de21879ca0e8d35a60a39cd65d5c7845811f72e4df4acda25ded0897b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 980822949a5566dbf2545132a75d8b05724a7c3584abea6f78038c18c9d90df2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0E08C32A02211EBE7201FA0AE0DB963B7DAF45792F14CA09F245CD080EA788440CB68
                                                                                                                                                                                                                                                                                                                                                                                Function 006CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 006CD858
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 006CD862
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006CD882
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(?), ref: 006CD8A3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2889604237-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d1ea454b8d9c79edec59a8ef28533cfd4c9647708f7185449734d371711750a7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 96c871c4de380e3b198c398048365a2b29d81c695b70b7f51553d2b2f1415de1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d1ea454b8d9c79edec59a8ef28533cfd4c9647708f7185449734d371711750a7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 19E01AB0800204EFCF52AFA0D808A6DBBB2FB08310F10C219F846E7250CB3D8902AF54
                                                                                                                                                                                                                                                                                                                                                                                Function 006CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetDesktopWindow.USER32 ref: 006CD86C
                                                                                                                                                                                                                                                                                                                                                                                • GetDC.USER32(00000000), ref: 006CD876
                                                                                                                                                                                                                                                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006CD882
                                                                                                                                                                                                                                                                                                                                                                                • ReleaseDC.USER32(?), ref: 006CD8A3
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2889604237-0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e6ba0305685304b966c75a9add4a52b3d2104492052807b9d31f32f17ae708a2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1a8d0dc2a18b20755e1ee1d3fceeb41194b5d365abe74081514b64b6529ab118
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e6ba0305685304b966c75a9add4a52b3d2104492052807b9d31f32f17ae708a2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3E09A75800204DFCF52AFA0D80866DBBB6BB48311F14C649E94AE7250CB3D59019F54
                                                                                                                                                                                                                                                                                                                                                                                Function 006E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00677620: _wcslen.LIBCMT ref: 00677625
                                                                                                                                                                                                                                                                                                                                                                                • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 006E4ED4
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Connection_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: *$LPT
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1725874428-3443410124
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b9ad87e8329c9a8d23c0dfc4de5c31b0bf1fb44e4794fe6b434bea92bbd859fa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 657a00c8fef383a14a45a23f8a323f8d27d1a6f9065b2934310a6c3c5ebebd1a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9ad87e8329c9a8d23c0dfc4de5c31b0bf1fb44e4794fe6b434bea92bbd859fa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25918175A012449FDB14DF65C484EAABBF2BF84704F18809DE80A9F362CB35ED85CB91
                                                                                                                                                                                                                                                                                                                                                                                Function 0069E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 0069E30D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: ErrorHandling__start
                                                                                                                                                                                                                                                                                                                                                                                • String ID: pow
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 710cee4a7dc7609cd123b3d99121ec68d9f9a7cde1a84a2b46d7742662117be2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c5bcdb747189de4208257a62bf4bebaaf1c277fc11c54ae588161124fa6613b9
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 710cee4a7dc7609cd123b3d99121ec68d9f9a7cde1a84a2b46d7742662117be2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8513B61A0C20296CF15B718CD013F93BEEEF41740F748D69E095427EAEB368D969E4A
                                                                                                                                                                                                                                                                                                                                                                                Function 006F7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(006C569E,00000000,?,0070CC08,?,00000000,00000000), ref: 006F78DD
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(006C569E,00000000,?,0070CC08,00000000,?,00000000,00000000), ref: 006F783B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BuffCharUpper$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: <ss
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3544283678-523161429
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 44a715e15142dc0254b7a7bbf74366de113f1984f6a544ceacb8cb8fd04891aa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f1dd2779b8599318bebffeaea3feba98fef814df14408a949d80d46e30527ec1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 44a715e15142dc0254b7a7bbf74366de113f1984f6a544ceacb8cb8fd04891aa
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25617E72914128EACF44FBE4CC91DFDB3BABF14300B548129F646A7192EF745A09DBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 0068E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                                                                                                • String ID: #
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 0-1885708031
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d54a87ece0efe6b5247a6f3e3b0e2f4920a7eb6a8dc73dc50cf43ea5a00e00e9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 4a8e319cccdcf8f995574926788dd6f1e7864de1726ad0b75d04f55fa2c0ba38
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d54a87ece0efe6b5247a6f3e3b0e2f4920a7eb6a8dc73dc50cf43ea5a00e00e9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB511335500246DFDB15EF28C491AFA7BB6EF25310F248159E8919B390DA369E43CBA0
                                                                                                                                                                                                                                                                                                                                                                                Function 0068F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • Sleep.KERNEL32(00000000), ref: 0068F2A2
                                                                                                                                                                                                                                                                                                                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0068F2BB
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: GlobalMemorySleepStatus
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2783356886-2766056989
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5efaa5cde9f7d49b0df757d9c51a71715d21faaa977fcbce2ef132a8773254c7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7db92f159a8b1cb22f91aabb23967eb5b15e987666f82bb7399bc3252c8a7da5
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5efaa5cde9f7d49b0df757d9c51a71715d21faaa977fcbce2ef132a8773254c7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E5154714087449BD360AF20DC86BAFBBF9FF95310F81885CF1D9411A5EB349929CB6A
                                                                                                                                                                                                                                                                                                                                                                                Function 006D2999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 006D29EB
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 006D2A8D
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D2C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 006D2CE0
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 33e95660b01cae8c8f9cda2e6f168a7f19d602ed74966ed03e2f48f4fc19d7dc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 6a6cb7131d1af9b3033670ccb719933e33a0ec49b8d04bba8a2ee660b284bfdf
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33e95660b01cae8c8f9cda2e6f168a7f19d602ed74966ed03e2f48f4fc19d7dc
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD41D430E00219ABDF25DF54C855BEE7BBAEF54310F04402AF909A3391DB709E45CBA6
                                                                                                                                                                                                                                                                                                                                                                                Function 006F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006F57E0
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006F57EC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: BuffCharUpper_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: CALLARGARRAY
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 157775604-1150593374
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 54db5bc467e2e129e425c9bbe3108339da5c88feb68e28447c02c28a814d49b7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8a710f762557dccd185ff8c46abcfb10d4542b32adc6e4d989b2198d772fcadb
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54db5bc467e2e129e425c9bbe3108339da5c88feb68e28447c02c28a814d49b7
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8418E71A001199FCB14DFA8C8818FEBBF6EF59350F10412DE616A7391E7349D81CBA4
                                                                                                                                                                                                                                                                                                                                                                                Function 006ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006ED130
                                                                                                                                                                                                                                                                                                                                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006ED13A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CrackInternet_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: |
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 596671847-2343686810
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 9614cf67f5bb1587e9c48719c5df11d30a64dd576d808c86e9724e4c97869a2e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: af07d16758c9cee9c4430325c28dde29e970aad2e87e729fcae1319da50253ae
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9614cf67f5bb1587e9c48719c5df11d30a64dd576d808c86e9724e4c97869a2e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9D314F71D01209ABCF55EFA5CC85EEE7FBAFF04344F104019F819A6265EB31AA06CB65
                                                                                                                                                                                                                                                                                                                                                                                Function 0070356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • DestroyWindow.USER32(?,?,?,?), ref: 00703621
                                                                                                                                                                                                                                                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0070365C
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$DestroyMove
                                                                                                                                                                                                                                                                                                                                                                                • String ID: static
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2139405536-2160076837
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 6d0751940719cf859113f527f89e56c1f7f7f64d0338ae8f216d78bffe2aef24
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 571b47f8d6bb39e510e3bbc07efdb2eaa0e6dddc739b50016345c4180f379e47
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6d0751940719cf859113f527f89e56c1f7f7f64d0338ae8f216d78bffe2aef24
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09318A71110604EAEB209F78DC80EBB73EDFF88720F10971DF8A597290DA39AD918764
                                                                                                                                                                                                                                                                                                                                                                                Function 00704537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0070461F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00704634
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: '
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-1997036262
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a428897fae623c181d0174767a431a04364768d01ecf9f42951bacff054565e5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 5d6dd8c435de3d0232793154759a2e383d9cd8d8182ce985f5a5e832780e1048
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a428897fae623c181d0174767a431a04364768d01ecf9f42951bacff054565e5
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 123127B5A01209DFDB14CFA9C980BDA7BF5FF49300F10416AEA04AB381E775A951CF90
                                                                                                                                                                                                                                                                                                                                                                                Function 006D286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 006D2884
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 006D28B6
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3c9f76bd6ad4099dca8906b8e2e97e425b428f1a59218c19d32ceab9b1fe031f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: d5ef54d3d96b88deb124a1943d40d040ae5dc9ad5a3dd02445014bc1a81e0676
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3c9f76bd6ad4099dca8906b8e2e97e425b428f1a59218c19d32ceab9b1fe031f
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06212B72D00216ABCB119F55C491DFE77BADF98710F00815AE915A7380DA745C42C7A4
                                                                                                                                                                                                                                                                                                                                                                                Function 0070336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DED19: GetLocalTime.KERNEL32 ref: 006DED2A
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DED19: _wcslen.LIBCMT ref: 006DED3B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DED19: _wcslen.LIBCMT ref: 006DED79
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DED19: _wcslen.LIBCMT ref: 006DEDAF
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DED19: _wcslen.LIBCMT ref: 006DEDDF
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DED19: _wcslen.LIBCMT ref: 006DEDEF
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DED19: _wcslen.LIBCMT ref: 006DEE2B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 0070340A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$LocalMessageSendTime
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$SysDateTimePick32
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2216836867-2530228043
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3438b6d07a955084ce97bbf7be4fd98415065420f869a04e6840438f13c3da89
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: bb0174b88938cd56ea097ffa8a7e43c61769c1975da093f7df885548373dd0e8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3438b6d07a955084ce97bbf7be4fd98415065420f869a04e6840438f13c3da89
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3621B471350209ABEF229E54DC82FFE73AEEB44754F104619F950AB1D0DAB9EC518760
                                                                                                                                                                                                                                                                                                                                                                                Function 006D215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006D2178
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 006DB355
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006D2194,00000034,?,?,00001004,00000000,00000000), ref: 006DB365
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006D2194,00000034,?,?,00001004,00000000,00000000), ref: 006DB37B
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006D21D0,?,?,00000034,00000800,?,00000034), ref: 006DB42D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 006D21DF
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 006DB3F8
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1045663743-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 5cd65c9f598159d53505301bf51ff107b5bad87fcec2caf2c91bc516a0d39abd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1c2279493b50e1c6467e5217128dbc7411722b8c7edc132bc78428e3de3c9c03
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5cd65c9f598159d53505301bf51ff107b5bad87fcec2caf2c91bc516a0d39abd
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70218E31D01129EBEF61DBA8DC41FDDBBB9FF15310F10419AF648A6290EA715A44CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 007031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0070327C
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00703287
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Combobox
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2096851135
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ba922d109648250556f6074e05d4c40fd76c3fe11e082fb1a028c811d3c5452c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3ed8e093f0acf534d6cc16f43154cdd188bba9179abe8002366cb465deeadbb7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba922d109648250556f6074e05d4c40fd76c3fe11e082fb1a028c811d3c5452c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A4116071200208BFEF259F54DC85EBB37AEEB94364F104229F918972D1D6799D518760
                                                                                                                                                                                                                                                                                                                                                                                Function 00703710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0067600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0067604C
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0067600E: GetStockObject.GDI32(00000011), ref: 00676060
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0067600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0067606A
                                                                                                                                                                                                                                                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0070377A
                                                                                                                                                                                                                                                                                                                                                                                • GetSysColor.USER32(00000012), ref: 00703794
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                                                                                                                                                                                                                                • String ID: static
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1983116058-2160076837
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ed22c6237907caa0d8df194879b194e97c62251a13a75d455ea87bf45409c5ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ba3f24f2d3f1d8f3af8f86a5c5ec463aa7ea8502094fc0bb0507fbe5078cd36b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ed22c6237907caa0d8df194879b194e97c62251a13a75d455ea87bf45409c5ee
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 671129B2610209EFDB01DFA8CC45AEA7BF8EB08314F005A15F955E2290DB39E8619B50
                                                                                                                                                                                                                                                                                                                                                                                Function 00706181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007061FC
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00706225
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 2fd9cf379aeb97640614d458c3e2452f50c2e8f2f76e920d9bf4cd94f73c3260
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 12e06cf06998bedaef569cb96efda362db608702de16f5e27390be385f4aec22
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2fd9cf379aeb97640614d458c3e2452f50c2e8f2f76e920d9bf4cd94f73c3260
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E11C431140219FEEB119F68CC29FB93BE9FB05710F004355FA169A1D1D7B9EA20DB54
                                                                                                                                                                                                                                                                                                                                                                                Function 006ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006ECD7D
                                                                                                                                                                                                                                                                                                                                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006ECDA6
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Internet$OpenOption
                                                                                                                                                                                                                                                                                                                                                                                • String ID: <local>
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 942729171-4266983199
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a3b063257298f4fee9b3ece8ec98a2d68826a830106e4f1af4b825f6f0a791a2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 29a35a9c926faef69157483d5b35b10a4c423e878ba18404edcca6296bce2e2b
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a3b063257298f4fee9b3ece8ec98a2d68826a830106e4f1af4b825f6f0a791a2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F11C271206771BAD7384B678C49EE7BEAEEF527B4F00422AB10983180D7769842D6F0
                                                                                                                                                                                                                                                                                                                                                                                Function 00704F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,?,?,?), ref: 00704FCC
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3d9daf17595cd4fce932c90ddc74f036b469d079893151379f41f1170b370047
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 7d091e092d82b98ce2d5d31fd68cc5828575ead02ce755cce043c1f0ead9eb5c
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d9daf17595cd4fce932c90ddc74f036b469d079893151379f41f1170b370047
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0521F27A60010AEFCB15CFA8C9408AE7BF9EB4D300B004694FA05A3360D635E961DB94
                                                                                                                                                                                                                                                                                                                                                                                Function 007030D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000401,?,00000000), ref: 00703147
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u$button
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-1762282863
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d042471c4e116fdbd9614f1229c1ae4da30d34a9cac56c8217bf20421d63999b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: db4571d7b9fb793a14654b936f692b61eac9e2b9c3e4d07df2f0ecc47015d95e
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d042471c4e116fdbd9614f1229c1ae4da30d34a9cac56c8217bf20421d63999b
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C11A172150209EBDF119F64DC41FEA3BAAEF08354F104214FA54A71D0CB7AE8619B50
                                                                                                                                                                                                                                                                                                                                                                                Function 006D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                • CharUpperBuffW.USER32(?,?,?), ref: 006D6CB6
                                                                                                                                                                                                                                                                                                                                                                                • _wcslen.LIBCMT ref: 006D6CC2
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                • String ID: STOP
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1256254125-2411985666
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 114d275ff948d10c4ef51529d2380f29df893b15ee3cb0d91eab667cb0d42bd2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: b7da242472b0479b2bc52e47365ef324eaaa8636b9f5b4e410ec808ae10501f8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 114d275ff948d10c4ef51529d2380f29df893b15ee3cb0d91eab667cb0d42bd2
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8601C432E145278ACB219FBDDC819FF77B7EF61710710052AF85296391EA35D901C650
                                                                                                                                                                                                                                                                                                                                                                                Function 006D23DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006D21D0,?,?,00000034,00000800,?,00000034), ref: 006DB42D
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000102B,?,00000000), ref: 006D243B
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000102B,?,00000000), ref: 006D245E
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$MemoryProcessWrite
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1195347164-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ba4065714fcadc18961bbf1f5fc0550fe5b360908810fd88b676ba2b74bd165a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a4d771a7b1c344a9891f6f67edf9ef4e2618fab00a13e747921a894871cab773
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba4065714fcadc18961bbf1f5fc0550fe5b360908810fd88b676ba2b74bd165a
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6E01DB32900115EBEB216F64DC56FEEBB79DB14310F10816BF515A61D1DB705D45CB60
                                                                                                                                                                                                                                                                                                                                                                                Function 00704366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000133E,00000000,?), ref: 007043AF
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00704408
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 909852535-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: b34b574212eab4c5f4227b404ef920f986cfa7973d69e195ab719c5d5a3b9fb8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dd2a3086e3c236a6f80088714042b2b6133235c63e37d26d5f85eebb2884551a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b34b574212eab4c5f4227b404ef920f986cfa7973d69e195ab719c5d5a3b9fb8
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF118F74500744EFEB21CF24C891BE7BBE5BF05310F108A1DE9AB97291DB756941DB50
                                                                                                                                                                                                                                                                                                                                                                                Function 006D250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 006D2531
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000040D,?,00000000), ref: 006D2564
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 006DB3F8
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend$MemoryProcessRead_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1083363909-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: db4faa77f5d24d29f4768010f71bab59ac6138f54a9e2c4951ed099be382a635
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: e17493cc722ccdbc4223b09149c40380ca54409f19a518f567f47ac156750f92
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: db4faa77f5d24d29f4768010f71bab59ac6138f54a9e2c4951ed099be382a635
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 37016D71900128EFDBA0AF94DC91EED77ADEB14340F80D0AAB649A6150DE315F89CB94
                                                                                                                                                                                                                                                                                                                                                                                Function 0068A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 0068A529
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer_wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ,%t$3yl
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2551934079-2110182000
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 802f4e3b16015162c114dabd785f7d05a0901561baf361ab54adc8534ccc76b9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: f923746ba7ee8dbe3c3f33cee556628f27b6f087615ecf9eebc2f5a0be25da18
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 802f4e3b16015162c114dabd785f7d05a0901561baf361ab54adc8534ccc76b9
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8012B317006109BEA04F7A8D81BA9D73ABDB05710F50426EF905572C3DF645D428BAF
                                                                                                                                                                                                                                                                                                                                                                                Function 007090A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2
                                                                                                                                                                                                                                                                                                                                                                                • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,006C769C,?,?,?), ref: 00709111
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 00689944: GetWindowLongW.USER32(?,000000EB), ref: 00689952
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007090F7
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: LongWindow$MessageProcSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 982171247-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: eddd635fbb92496b5aa4ce8755f57f2e357c1034b7a3fa3bafd973bfc5b69c6c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 2bacc54390d2dae0990cfeea1950a8b8dfa95596050831ecb8b9861808300c79
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eddd635fbb92496b5aa4ce8755f57f2e357c1034b7a3fa3bafd973bfc5b69c6c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8601B134200218EBDB21AF14DC49EA63BA6EB86365F144368FA511A2E2CB766C51CB64
                                                                                                                                                                                                                                                                                                                                                                                Function 00708172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00743018,0074305C), ref: 007081BF
                                                                                                                                                                                                                                                                                                                                                                                • CloseHandle.KERNEL32 ref: 007081D1
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                                                                                                                                                                • String ID: \0t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3712363035-315198736
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 20b86d8cb5554909b0ab7e39c25eed8db1b51fd9858a37053c1d23ce03e0d935
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 3ec7e80eda04f39d2082f7ea7f465d65c09c3dcb05f2b6d29c7cb1a7cf988cb1
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20b86d8cb5554909b0ab7e39c25eed8db1b51fd9858a37053c1d23ce03e0d935
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03F05EB5640304BAF7206761AC45FB77A9EDB05750F008626BB0CD61B2D77E8A0082BD
                                                                                                                                                                                                                                                                                                                                                                                Function 006D246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006D2480
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006D2497
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D23DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 006D243B
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 841563f8c7d83c96e6b3191b2f95a69a23e8f58b1a3af1d331af263d89919869
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: a531b09353780a3f9496b1a444c338f9a2f21aeb4211f65377e11402334b2be7
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 841563f8c7d83c96e6b3191b2f95a69a23e8f58b1a3af1d331af263d89919869
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0CF02730A01122BAEB211B16CC0FCDFBFAEDF56760B104295B805A2251CAB15D41C7F0
                                                                                                                                                                                                                                                                                                                                                                                Function 006F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 3, 3, 16, 1
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 176396367-3042988571
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: d1771dad047eebf6519445ae7141ce7c55d12ab03d470c942b82af3eec3e8c4c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: c857ddec887922dd5d7b5bea5e32cda872b143231165048eb72c9f72963a08b0
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d1771dad047eebf6519445ae7141ce7c55d12ab03d470c942b82af3eec3e8c4c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9EE02B4220422410927122799CC1DBF57CFCFC9750710182FFA81C236AEE948D9293E4
                                                                                                                                                                                                                                                                                                                                                                                Function 006D2BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006D2BFA
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 006D2C2A
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: a4c00a15567d24deb0be64b6efe7de6e7fd65e1038c9b2dc19391e05ad5065fb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 86e00761b369cf587ec3bb8cddcf91176c3163f2244155c8b167ba426853f16f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a4c00a15567d24deb0be64b6efe7de6e7fd65e1038c9b2dc19391e05ad5065fb
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DFF02071740304BFFA222B80DC56FEA3B4EEB24B60F004215F3085A2D0C9E20C1083A4
                                                                                                                                                                                                                                                                                                                                                                                Function 006D2D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 006D2884
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006D286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 006D28B6
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 006D2D80
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006D2D90
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 1821766d8613a12d1431f50c8ddda067b8d5adb671557aae1498d63e3a50278e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 535e4e01569cdd93265682292e95b1f371bb6463259429646139c163ac01c01f
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1821766d8613a12d1431f50c8ddda067b8d5adb671557aae1498d63e3a50278e
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FCE0D835744306BFF6320B519CA6EE3375FDB68751F100127F30465291DEA3CC215564
                                                                                                                                                                                                                                                                                                                                                                                Function 00705829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 00705855
                                                                                                                                                                                                                                                                                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 00705877
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 909852535-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 13d028b2f33164c87f5007392a43ddeeb21f432ea5c91847f098661a5250b098
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 8259a1311555d2fb62560acc222204ca6d2c440b6a1d5ee0b0f40a1bf4b1ae13
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13d028b2f33164c87f5007392a43ddeeb21f432ea5c91847f098661a5250b098
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3EF08232604180EEDB218B65DC44FEEBBF8EB85321F0447F2E55AD9091DA748A81CF20
                                                                                                                                                                                                                                                                                                                                                                                Function 006D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006D0B23
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Message
                                                                                                                                                                                                                                                                                                                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 2030045667-4017498283
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 0f9330a6f1f960f2e8457b2052834e1d40f5d820ed0faf0e97183e3b5a7c910c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 48bc33df4ec890a23a3d6c981182329975b32786df0e240bb65c7cee553cb16a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f9330a6f1f960f2e8457b2052834e1d40f5d820ed0faf0e97183e3b5a7c910c
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53E0D832244308B6E2553754BC07FC97BC58F05B51F10462FF748955C38ED6249046AD
                                                                                                                                                                                                                                                                                                                                                                                Function 00690D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 0068F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00690D71,?,?,?,0067100A), ref: 0068F7CE
                                                                                                                                                                                                                                                                                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,0067100A), ref: 00690D75
                                                                                                                                                                                                                                                                                                                                                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0067100A), ref: 00690D84
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00690D7F
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                                                                                                                                                                                                                                                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 55579361-631824599
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: e2b1c92d00ece44d71a11aa76a43953c7c7c532d0d211ffd4116ab3fc8679368
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 84d08cba9686107ffa1b778a145251560400b4e5d265fe0c4dfadbd5781e3352
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e2b1c92d00ece44d71a11aa76a43953c7c7c532d0d211ffd4116ab3fc8679368
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A7E0E574200751CFE7719F78D8047467BE5BF14744F008B2DE495C6A51DBB9E4488B95
                                                                                                                                                                                                                                                                                                                                                                                Function 0068E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 0068E3D5
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                • String ID: 0%t$8%t
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 1385522511-3566158117
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: c6751414d57b6b24c93a67b00644b7c0f6f7a20d700845a1f27cb42980dc9835
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 59e153d56623755417a78dbd24c9b2578d5d4c12cd231532948f9ebd29b700bc
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6751414d57b6b24c93a67b00644b7c0f6f7a20d700845a1f27cb42980dc9835
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FE02639508D10CFCA04B718B854A88B35BEB06320B9042FAF102872D3DB392C63874C
                                                                                                                                                                                                                                                                                                                                                                                Function 006E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 006E302F
                                                                                                                                                                                                                                                                                                                                                                                • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 006E3044
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: Temp$FileNamePath
                                                                                                                                                                                                                                                                                                                                                                                • String ID: aut
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3285503233-3010740371
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: ed85e5ada1040330a5866b83cfb2c5c70cbe8d722ce5ffecf520b12a05913a87
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: ad266126209d14cb36fbb63bb2a3a4f43abc82484e07b625ebd4a3b4fab7dd7a
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ed85e5ada1040330a5866b83cfb2c5c70cbe8d722ce5ffecf520b12a05913a87
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 52D05EB2500328B7DA20A7A4AC0EFCB3A6CEB05750F0043A1B655E60D1DEF89984CAD4
                                                                                                                                                                                                                                                                                                                                                                                Function 00702356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0070236C
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000), ref: 00702373
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DE97B: Sleep.KERNEL32 ref: 006DE9F3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: f90b3d50f566237a22fa4b7b694f1ee596aa806da4cf3f0aa3906a45c069a2ea
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: dc56aaf86460a58cf71506c165c9a5b7d6318b27ad9448f60ddaa372c8b6c3f4
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f90b3d50f566237a22fa4b7b694f1ee596aa806da4cf3f0aa3906a45c069a2ea
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FED0A972781300BAE2A8B3309C0FFC666089B00B04F108B067201AA1D0C8A9A8008A58
                                                                                                                                                                                                                                                                                                                                                                                Function 00702322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0070232C
                                                                                                                                                                                                                                                                                                                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0070233F
                                                                                                                                                                                                                                                                                                                                                                                  • Part of subcall function 006DE97B: Sleep.KERNEL32 ref: 006DE9F3
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                                                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 3051555868429f236be361eda1b175ae5e93d83f3aedc2a3c5fd58af8fbf2ef4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 86fd1a057ade134631c4dcf0a8456e93ad79aed1458a53bacfa16168b411b268
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3051555868429f236be361eda1b175ae5e93d83f3aedc2a3c5fd58af8fbf2ef4
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0DD0A976780300B6E2A8B3309C0FFC66A089B00B04F108B067205AA1D0C8A9A8008A58
                                                                                                                                                                                                                                                                                                                                                                                Function 006D2313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006D231F
                                                                                                                                                                                                                                                                                                                                                                                • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 006D232D
                                                                                                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                • Source File: 00000000.00000002.1445742300.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445696322.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445857970.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1445973001.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                • Associated: 00000000.00000002.1446018127.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_670000_6eftz6UKDm.jbxd
                                                                                                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                                                                                                • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                • Opcode ID: 50e44af17559ec49b0a82f0dd8424d51bbf90578791629e8b144ef8477c097b6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction ID: 1014f15008406a42650a449acd2702056de302ae39a1d7b31c035a206e7ea4a8
                                                                                                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50e44af17559ec49b0a82f0dd8424d51bbf90578791629e8b144ef8477c097b6
                                                                                                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ABC00231140180BAE6321B67AD0DD573E3DE7DAF517105298B215950A58E6A0056D628